Issue
After the release of Chrome version 139.X.X (built on Chromium), users experience failures when launching the LiveUI inspector in Pega applications when using a content security policy (CSP) in the application.
Symptoms and Impact
After opening Live UI, the tree panel does not display any values and constantly displays status "Loading..." .
When launching Live UI with the tree panel expanded, the Console displays a log error:
“Refused to create a worker from 'blob:https://example.com/baff24461dfc' because it violates the following Content Security Policy directive: "child-src 'self'". Note that 'worker-src' was not explicitly set, so 'child-src' is used as a fallback.”
Developers are unable to use Live UI for troubleshooting, which is critical for diagnosing and resolving platform issues.
Steps to reproduce
-
Log into Dev Studio
-
Go to -> -> .
-
Locate and select the configured CSP Policy name used by your application.
-
Edit Content Security Policy to Disable Data and Blob for Child Frame-Source.
-
Refresh the browser tab and open Live UI.
Root Cause
This is a known issue caused by the changes Google made in the latest Chromium 139 update which affects browsers like Chrome and Edge. Live UI generates blob-based workers (e.g. new Worker(blobURL)). When the worker-src directive is not explicitly defined, Chrome falls back to the child-src directive.
If child-src is set to Self, it excludes blob: URLs, which are required for Live UI worker script creation. Google introduced a security change that causes the browser to fire an error event when a Content Security Policy (CSP) blocks a Worker script. This results in the browser blocking the functionality.
Solution
For applications using custom CSP
Use a workaround to add “blob: “ URL’s to the list of Allowed websites in the CSP. Add these to the child-src directive in the CSP rule mapped to the application along with Self option.
-
Log into Dev Studio
-
Go to -> -> .
-
Locate and select the configured CSP policy name used by your application.
There are two types of configurations the user can make at this point:
Configuration 1:
This is our recommended configuration as it is the most secure:
-
In the Child Frame-Source section, add "blob:" to the list of allowed sources.
The updated directive should include both Self and 'blob:' to maintain security while enabling Live UI.
Configuration 2:
This is for scenarios where your business requires that you use the option Allow-All instead of Self for the child-src directive:
- Select the option Data in the Child Frame-Source section. Enabling the Data checkbox implicitly enables the "blob:" directive.
For applications using OOTB CSP
The OOTB Content Security Policy rule pxDefaultSecured has been fixed in the following releases:
-
Pega Infinity™ '24.2.3
-
Pega Infinity '25.1.1
This documentation will be updated as soon as the fix is included in other patches.
References
Chrome 139 Release Notes – Fire error event for CSP-blocked Worker