DotLottieWorker is unsafe for CSP due to blob object usage

[azaleas]

Hey team,

We have been running different benchmarks for lottie usage and concluded that we can use lottie in our project only with the worker version.

However, our security team has a limitation in CSP rules that doesn't allow us to add worker-src: blob: (or script-src: blob:) due to usage of blob being equal to unsafe-eval per the specs.

Checking the code, it looks like dotlottie-web generates the worker via blob only:

dotlottie-web/packages/web/esbuild-plugins/plugin-inline-worker.cjs

Lines 52 to 56 in 7161eee

	const blob = new Blob([new Uint8Array([${uint8Array.join(',')}])], { type: 'application/javascript' });
	const url = URL.createObjectURL(blob);
	const worker = new Worker(url);
	URL.revokeObjectURL(url);
	return worker;

Would it be possible to extract the worker to be statically loaded as a separate module? This can allow the usage of a worker url instead. Which hopefully can then be added to CSP to avoid usage of a blob. Bundlers can add the worker via Url (vite). If the worker url is not passed, code can default to blob.

Would this be feasible?

[theashraf]

@azaleas Thanks for raising this and for the clear context!

You’re right: our current build inlines the worker via a Blob URL, which means projects with a strict CSP that forbids worker-src blob: (and/or script-src blob:) can’t use it. Supporting a statically served worker is reasonable.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.