Chrome 63 seems to ignore or break on worker-src CSP headers

Upd: in this case the issue was root-caused to having uMatrix plugin installed and enabled. Even when the plugin switched off the issue did remain. So there are two ways to workaround those confusing errors:

• Disable uMatrix completely in the Extension/Plugins menu in the browser. Using a built in "turn off" button in uMatrix will not help.
• Just let it go and ignore the warning.

The details are here https://github.com/gorhill/uMatrix/issues/926#issuecomment-359905357

Initial reply for history.

Xceno, did you confirm that Chrome really fails to load the worker?

I see the exact same error, but... the SW actually works. Maybe this is just a false-positive bug from Chrome.

Here is my code and what I see in console

navigator.serviceWorker.register('/sw.js').then(function(registration) {    console.log('ServiceWorker registration successful with scope: ', registration.scope);    // ... some other code}

Console output:

defer.js:36 [Report Only] Refused to create a worker from 'https://.../sw.js' because it violates the following Content Security Policy directive: "worker-src 'none'".defer.js:37 ServiceWorker registration successful with scope:  https://.../

In my case SW was in fact successfully installed and worked as designed.

As promised — here are the headers. I was unable to put them as a comment. As you can see I don't have CSP headers explicitly and the only one related to security are x-content-type-options and x-frame-options. That's it. Hope it helps somehow.

content-type: text/html; charset=UTF-8cache-control: must-revalidate, no-cache, privatex-ua-compatible: IE=edgecontent-language: enx-content-type-options: nosniffx-frame-options: SAMEORIGINexpires: Sun, 19 Nov 1978 05:00:00 GMTvary: Accept-Encodingexpect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"server: cloudflarecf-ray: 3e91b05aabb05540-ORDcontent-encoding: brx-firefox-spdy: h2