Let's say there's a worker created from a data: URL in a secure context. That worker creates a blob: URL and tries to create a nested worker out of that URL. Should that be blocked as mixed content? In other words, should the blob: URL be considered potentially trustworthy?

From the data worker: postMessaging to a dedicated blob sub-worker allows them to see each others' modifications test in [1], Firefox doesn't block the above as mixed content, but other browsers do.

I think the current spec says the blob: URL is not trustworthy, because [2] says

Note: The origin of `blob:` URLs is the origin of the context in which they were created. Therefore, blobs created in a trustworthy origin will themselves be potentially trustworthy.

Since workers created from a data: URL has a unique opaque origin [3], and opaque origins are not trustworthy [4], this blob: URL should not be considered potentially trustworthy.

However, since this blob is created in a secure context, and blob objects are immutable, it feels like we should be able to trust this URL to deliver data securely. Should we consider updating the spec to make blob: URLs potentially trustworthy if their creator context is secure?

[1] https://wpt.fyi/results/html/infrastructure/safe-passing-of-structured-data/shared-array-buffers/blob-data.https.html?label=master&label=experimental&aligned&q=html%2Finfrastructure%2Fsafe-passing-of-structured-data%2Fshared-array-buffers%2Fblob-data.https.html
[2] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
[3] https://html.spec.whatwg.org/multipage/workers.html#set-up-a-worker-environment-settings-object
[4] https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy