Security errors due to use of blob for worker rather than a static file

[ryan-stackwave]

Importing the library results in the following security error in the browser due to the unsafe use of a blob to create a worker.

Refused to create a worker from 'blob:https://localhost' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

AlignmentViewer2.0/src/webworkers/WebWorkerFactory.ts

Line 6 in e59bce8

super(URL.createObjectURL(blob));

This same issue was resolved by another project here:
DataDog/browser-sdk#1578

I'll quote from that issue since it describes the problem well:

This forces the lib consumer to add worker-src: blob: to their CSP header configuration.

Using blob: for service worker defeats the purpose of CSP configuration as now any js code can create a service worker on my app with javascript code I can't check the origin, the integrity, etc...

As w3c said blob: is like eval-unsafe https://www.w3.org/TR/CSP2/#source-list-guid-matching.

Since the javascript code here is static, there is no reason it couldn't be loaded from a static file.

[ryan-stackwave]

@npgauth, in my fork I was able to provide myself with a hook to generate a URL for a static version of the generateCanvases function via the file-loader plugin for webpack but I think it would be ideal to package generateCanvases.js as a static asset for the library generally so folks don't have to poke holes in their CSPs. Please let me know if I can help with implementation of an approach that aligns with the preferred patterns for the library.

ryan-stackwave#13