[Web] Add ability to use custom worker script to avoid CSP policy violations when 'worker-src' doesn't allow 'blob:' path #19708
Labels
feature request
request for unsupported feature or enhancement
platform:web
issues related to ONNX Runtime web; typically submitted using template
Comments
rdolgov
added
the
platform:web
|
In case someone needs the same and okay to use custom build: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
When trying to user proxy mode or muti-threaded mode, for example setting ort flags to:
ort.wasm.proxy=true; ort.wasm.numThreads=4;when hosted app has strict CSP policy and doesn't allow using 'blob:' schema for web workers (doesn't explicitly adds 'blob:' to 'worker-src' and 'script-src') the following error happens:
Refused to create a worker from 'blob:...because it violates the following Content Security Policy directive: "worker-src...Ideally would be good to have some env settings to allow specify path to custom worker and provide some pre-bundled script that can be loaded directly from the hosted app (for example something similar to https://docs.sentry.io/platforms/javascript/session-replay/configuration/#using-a-custom-compression-worker)
To reproduce
Host onnx web runtime on site with script CSP policy that for example only specify the following directive:
"worker-src 'self'"Urgency
As more site adds CSP policy, having this option would have wider / easier adoption of onnx web runtime, otherwise you either need to revert to slower in UI thread only mode, or prevent adoption altogether.
ONNX Runtime Installation
Built from Source
ONNX Runtime Version or Commit ID
1.17.0
Execution Provider
'wasm'/'cpu' (WebAssembly CPU)
The text was updated successfully, but these errors were encountered: