Skip to main content

no-worker-blob-url

Disallow worker code-loading APIs that use blob: URLs or URL.createObjectURL(...) for executable scripts.

Targeted pattern scopeโ€‹

This rule targets blob-backed worker code-loading through:

  • new Worker(...)
  • new SharedWorker(...)
  • importScripts(...)

The rule reports both static blob: string URLs and direct URL.createObjectURL(...) calls passed into those sinks.

What this rule reportsโ€‹

This rule reports worker code-loading expressions that source executable code from blob URLs or object URLs.

Why this rule existsโ€‹

Blob-backed worker bootstraps hide executable code behind dynamically generated object URLs. That makes code-loading harder to audit and can blur trust boundaries in worker startup paths.

โŒ Incorrectโ€‹

new Worker(URL.createObjectURL(workerBlob));
self.importScripts("blob:https://example.com/bootstrap");

โœ… Correctโ€‹

new Worker("https://cdn.example.com/worker.js");
self.importScripts("https://cdn.example.com/worker-helpers.js");

Behavior and migration notesโ€‹

This rule intentionally focuses on direct blob-backed worker code-loading expressions. Indirect variables and broader blob URL usage are out of scope.

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-worker-blob-url": "error",
},
},
];

When not to use itโ€‹

Disable this rule only if your project intentionally relies on blob-backed worker code-loading and that design has been reviewed and approved.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R067