no-worker-data-url

Disallow worker code-loading APIs that use static data: URLs for executable scripts.

Targeted pattern scope

This rule targets static data: URLs passed to:

new Worker(...)
new SharedWorker(...)
importScripts(...)

The rule also covers window, self, and globalThis member access forms.

What this rule reports

This rule reports data: URLs only when they are used as worker code-loading inputs. It does not report other non-worker data: URL usage.

Why this rule exists

A data: URL in a worker entrypoint or importScripts(...) call embeds executable JavaScript directly in the URL value. That makes code loading harder to review and can blur trust boundaries in worker bootstrap paths.

❌ Incorrect

new Worker("data:text/javascript,postMessage('hi')");

self.importScripts("data:text/javascript,bootstrap()");

✅ Correct

new Worker("https://cdn.example.com/worker.js");

self.importScripts("https://cdn.example.com/worker-helpers.js");

Behavior and migration notes

This rule intentionally focuses on static data: URLs in worker code-loading APIs. Dynamic worker URLs and other worker-related risks are out of scope.

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-worker-data-url": "error",
  },
 },
];

When not to use it

Disable this rule only if your project intentionally relies on worker code from data: URLs and that design has been reviewed and approved.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

Behavior and migration notes​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​