en-US

Enable opaque origins for data URLs in Web Workers

Supported on: Microsoft Windows 7 or later

Registry

HKLM Software\Policies\Google\Chrome
HKCU Software\Policies\Google\Chrome

Value name: DataUrlInWebWorkerOpaqueOriginEnabled

Enabled: DataUrlInWebWorkerOpaqueOriginEnabled = 1

Disabled: DataUrlInWebWorkerOpaqueOriginEnabled = 0

Description

Controls whether Web Workers created from data URLs are assigned a unique opaque origin. Web Workers can be created using a data URL containing the worker's script. Previously, these workers inherited the origin of the page that created them, allowing them to access the same local storage, cookies, and other origin-bound data. To improve security and align with the HTML specification, Chrome is changing its default behavior in milestone 149 so that workers created from data URLs will now have a unique, opaque origin. This isolates them from the creator page's data. If this policy is set to Enabled or left unset, the new default (more secure) behavior is used, and Web Workers created from data URLs will have a unique opaque origin. If this policy is set to Disabled, Chrome reverts to the legacy behavior, and Web Workers created from data URLs will inherit the origin of their creator. This allows administrators to temporarily resolve compatibility issues if internal applications break due to the security change. This policy is intended to be temporary and will be removed in milestone 157.