CSP violation reports for web workers displays incorrect effective-directive value (worker-uri) when worker-src is not in the original policy

In https://github.com/twitter/secureheaders/issues/358, we stumbled upon this behavior where the violation report contains worker-uri as a reference to a directive rather than worker-src.

In this case, worker-src was not supplied but was the effective-directive. I have not tested to see if this is the case when worker-src is supplied or if the incorrect reference exists in other places.

I’m just going to assume that edge respects the value of the worker-src directive and does not require one to use worker-uri to match the error. I haven’t tested this either.

I filed this under developer tools because this isn’t a security issue and the only time I look at reports is in developer tools :)

{
    "csp-report": {
        "document-uri": "https://www.talegraph.com/tales/xxx",
        "blocked-uri": "blob",
        "violated-directive": "default-src 'self'",
        "original-policy": "default-src 'self'; connect-src 'self' wss://www.talegraph.com sentry.io api.segment.io api.mixpanel.com wss://*.crisp.chat storage.googleapis.com; font-src 'self' data: fonts.gstatic.com client.crisp.chat; frame-src 'self' blob:; img-src 'self' www.google-analytics.com client.crisp.chat image.crisp.chat data: blob: pi.prod.talegraph.net; media-src 'self' client.crisp.chat; object-src 'none'; script-src 'self' www.google-analytics.com cdn.segment.com cdn.mxpnl.com client.crisp.chat; style-src 'self' 'unsafe-inline' fonts.googleapis.com client.crisp.chat; report-uri https://talegraph.report-uri.io/r/default/csp/enforce",
        "effective-directive": "worker-uri",  <-- confusion
        "status-code": 200
    }
}