Thinking out of "the box"
Since there "seems" to be no way to do this in a "good" way, one could always apply a lil creativity to achieve a specific outcome.
Just to recap:
- the requirement is to have a way to identify from where a request is made
- this can either be achived manually per
Worker invocation, or automatically
- any security issues seem to be handled elsewhere
- altering the
Worker URL upon invocation could be helpful for automatic handling
Work-able solution
Here is a wrapper that can be used to "hijack" some class invocations or methods:
const hijack = function(driver,victim,jacker)
{
if(((typeof driver)=='string')&&!victim){return this.plan[driver]}; // recap
if(victim in this.plan){return}; // only jack once? .. less cruel
this.plan[victim]={victim:driver[victim],jacker:jacker}; // plan the heist
let con = {enumerable:false,configurable:false,writable:false,value:function()
{
let car=hijack((this.mask||this.name||this.constructor.name)); let m=this.mask;
let arg=car.jacker.apply(null,arguments); if(!Array.isArray(arg)){arg=[arg]};
if(!m){return new (Function.prototype.bind.apply(car.victim,[null].concat(arg)))()}
else{return car.victim.apply(this,arg)};
}};
try{con.value.prototype = Object.create(driver[victim].prototype)} // blend in
catch(oops){Object.defineProperty(driver,'mask',{value:victim});}; // recover
Object.defineProperty(driver,victim,con);
}.bind({plan:{}});
... nail meets hammer
How it works
- It takes in 3 arguments:
driver ~ the object that contains the target function/methodvictim ~ the name of the function/method that will be interceptedjacker ~ a callback-function -which is used to relay/change arguments
- The original method is copied to where it can be used or subsequent calls
- The callback imposes (deposes) the original and can either relay arguments unchanged between the caller and the callee (exactly like the original), but now you can control how it happens (if at all) and what to relay exactly; either with some simple condition(s) or some elaborate scheme (a.k.a "evil plan")
- For the sake of simplicity this code (above) only permits 1 interception per
victim, but this can be extended for multiple intercepts; either by "chain-relay" (callback array) or "event-dispatcher + event-listener combo(s)".
How to use
Specific to the question:
hijack(window,'Worker',function(arg){return `${arg}?worker=true`});
To address the security concerns in the comments, an api-key could be useful; so if some string was passed to the running instance (browser or server) that is unique to the current session (or client), it could suffice, for example:
hijack(window,'Worker',function(arg){return `${arg}?worker=${window.ApiKey}`});
.. where ApiKey was defined globally as a string, but it can also be the result of a function-call -which gets it from a cookie, or whichever.
Useful tool
This can also be used to enhance security. If you are concerned about XHR requests made from devtools or even worse: eval() -then you can use this hijack to intercept those calls/invocations globally.
For example:
hijack(URL,'createObjectURL',function(arg){console.log(arg); return `whatever`});
If you plan to use this as security tool, then it needs some TLC with a dash of "call-stack back-trace", a "mutation-observer" .. and a pinch of (dark) matter (:
disclaimer
nobody got hurt during this exercise .. the victim turned out okay .. use at your own discretion
