Can/should HTML5 Web Workers use CORS for cross-origin?

Question

I ran into an interesting problem while creating a hosted API that relies on web workers. I was hoping to get a little community feedback on it.

My server is set up

Answer 1

I did a lot of digging and asked around on IRC channels. I got some pretty good answers thanks to the guys in #developers on the Mozilla network. Hopefully this will help anyone in the same situation as me.

To sum it up, the HTML spec outlines that running new Worker('http://remoteorigin.com/worker.js') should execute the worker with the remote origin's security context. Something that's like CORS but not quite because it's execution rights instead of reading rights.

So why isn't that how it works right now? Because browsers haven't implemented the full spec yet. Chalk it up as something to look forward to.

Until then, there are actually 2 workarounds. I outlined the blob method above but we also can use importScripts(). If you can't modify the Worker itself, you could probably make a shell Worker that simply implements the Worker you actually want.