[Feature Request]: Support CSP/Chrome Extension Safe Build Without Base64 Blob Worker #1699
Description
Preflight Checklist
- I have searched the issue tracker for a feature request that matches the one I want to file, without success.
What package is this feature request for?
rrweb
Problem Description
Hi rrweb team, thanks for the great work on rrweb — it’s an amazing tool for session recording.
I’m building a Chrome extension that uses rrweb as a core dependency. However, the extension was rejected from the Chrome Web Store due to a "Red Titanium" violation, which flags base64-encoded scripts that are decoded at runtime (e.g., via atob + Blob + new Worker(...)).
This appears to come from the use of a base64-encoded Web Worker bundled into rrweb's distribution (e.g., rrweb.js, rrweb.umd.cjs, etc.). Chrome reviewers are very strict about this kind of logic, even when it’s harmless, because it makes the code difficult to audit.
❌ Problem
Base64-encoded strings with Uint8Array.from(atob(...)) create decoded Blob scripts at runtime.
Chrome Store considers this obfuscation and blocks extensions that use them.
Proposed Solution
✅ Request
Would it be possible to provide
A CSP-compliant / Chrome Extension-safe build of rrweb that does not inline the base64 worker?
This would make rrweb immediately usable in extensions and strict CSP environments.
Alternatives Considered
An official build flag or ES module export that uses a separately loaded worker file (e.g., new Worker(chrome.runtime.getURL('rrweb-worker.js'))) is also an option to allow extensions to pass Chrome review.
Additional Information
I found a similar feature request here that didn't have any solution for almost 2 years: #1308
Please prioritize this, as extensions are a great way to use rrweb.