no-service-worker-unsafe-script-url
Disallow unsafe service worker script URLs such as data:, blob:, javascript:, and direct URL.createObjectURL(...) registrations.
Targeted pattern scopeโ
This rule targets navigator.serviceWorker.register(...) when the script URL is
one of the following direct expressions:
- a static
data:URL - a static
blob:URL - a static
javascript:URL - a direct
URL.createObjectURL(...)call
The rule also covers window.navigator, self.navigator, and
globalThis.navigator access forms.
What this rule reportsโ
This rule reports direct unsafe service worker registration URLs only. Indirect variables and broader registration policies are out of scope.
Why this rule existsโ
ServiceWorkerContainer.register() is an executable script-loading sink. Using
non-reviewable or dynamically generated script URLs for service workers makes
registration paths harder to audit and can undermine SDL expectations around
trusted worker code.
โ Incorrectโ
navigator.serviceWorker.register("data:text/javascript,bootstrap()");
globalThis.navigator.serviceWorker.register(URL.createObjectURL(workerBlob));
โ Correctโ
navigator.serviceWorker.register("/sw.js");
Behavior and migration notesโ
This rule intentionally focuses on direct unsafe script URL expressions. Dynamic variables, Trusted Types policies, and broader origin-validation strategies are out of scope.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-service-worker-unsafe-script-url": "error",
},
},
];
When not to use itโ
Disable this rule only if your project intentionally relies on these service worker registration forms and that design has been reviewed and approved.
Package documentationโ
Further readingโ
Rule catalog ID: R069