In my application, I would like to avoid allowing blob as a worker-src in our CSP. (I'm also skeptical that blob should be Sentry's recommended solution, as it's equivalent to allowing unsafe-eval. Maybe I'm overestimating what web workers can do, but that seems like it opens up a lot of options for a malicious actor?)

I'm looking at the docs on using a custom compression worker for replays: https://docs.sentry.io/platforms/javascript/session-replay/configuration/#using-a-custom-compression-worker

It seems like a pain to self-host the worker script, and to keep it up to date with the code in the Sentry repo.

I'm wondering: Is there any reason Sentry can't host an up-to-date version of the minified worker script at like https://some-subdomain.sentry.io/worker.min.js? Then people can just allow that for worker-src in their CSP, and avoid the need to use blob, while also avoiding the headache of having to self-host an up-to-date version themselves.