Skip to content

Content Security Policy: fix unsafe-eval #12262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
t3chguy opened this issue Feb 6, 2020 · 7 comments
Closed

Content Security Policy: fix unsafe-eval #12262

t3chguy opened this issue Feb 6, 2020 · 7 comments
Assignees
@t3chguy
Labels
Security

Comments

@t3chguy
Copy link
Member

t3chguy commented Feb 6, 2020

Split off from #3632

At this time it is not possible to disable unsafe-eval as it will break WASM. In future this will be possible, this issue is to remind us to do such when all browsers support this.
@stoically
Copy link

as it will break WASM

Just to have it mentioned: this is a Chrome limitation - Firefox allows WASM without unsafe-eval.

@t3chguy
Copy link
Member Author

t3chguy commented Feb 6, 2020

I believe also Safari, which is a browser which riot-web claims to support.

@stoically
Copy link

Related: https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md#behavior-of-current-implementations

@DemiMarie
Copy link

Using WebAssembly.instantiateStreaming would avoid this problem.

This was referenced Jun 19, 2021
Open
Closed
@rugk
Copy link
Contributor

rugk commented Jun 20, 2021

Using WebAssembly.instantiateStreaming would avoid this problem.

As far as I know, no, it does not fix the problem, unfortunately. Chromium 90.0.4430.212 still shows an error:on that test page and it uses instantiateStreaming: https://s3.amazonaws.com/webassembly-chrome-csp/csp_test.html

That is actually also already linked in WebAssembly/content-security-policy#7.

@TanayParikh TanayParikh mentioned this issue Dec 8, 2021
Closed
@dkasak
Copy link
Member

dkasak commented Oct 7, 2022
edited
Loading

There's now support for wasm-unsafe-eval in at least Firefox and Chromium, which is part of CSP Level 3 Working Draft. This directive allows unsafe-eval behaviour for WASM, but not for scripts. Unclear how widely it's supported, though.

This is another issue to pay attention as well long-term: https://bugs.chromium.org/p/chromium/issues/detail?id=961485. This discusses allowing loading WASM from same-origin sources and there's mentions of WASM potentially getting its own CSP directive (e.g. wasm-src).

@t3chguy
Copy link
Member Author

t3chguy commented May 16, 2023

This got done

@t3chguy t3chguy closed this as completed May 16, 2023
@t3chguy t3chguy self-assigned this May 16, 2023
t3chguy pushed a commit that referenced this issue Oct 17, 2024
@dbkr
Fix gradients spacings on the space panel (#12262)
d20e9e4 
* Fix gradients spacings on the space panel

Make the gradients two separate ones so they can be fixed pixel widths
from the top & bottom rather than percentages of the height.

Tweak the spacings between the user menu & threads panel to match
the figma and from Gaelle's design.

* Update snapshots

* More screenshots
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@t3chguy t3chguy

Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dkasak @t3chguy @DemiMarie @rugk @stoically