Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP disallows WASM on Safari, Chrome #60

Closed
kujenga opened this issue Apr 24, 2022 · 1 comment · Fixed by #82
Closed

CSP disallows WASM on Safari, Chrome #60

kujenga opened this issue Apr 24, 2022 · 1 comment · Fixed by #82

Comments

@kujenga
Copy link
Owner

kujenga commented Apr 24, 2022
edited
Loading

With the merge of #57 I was validating in Safari and Chrome and ran into the following issue. Goal of this issue is to capture why this is and resolve it for those browser environments.

error:
EvalError: Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ...

This is a problem many have run into, you can see all sorts of similar reports here: https://github.com/search?q=unsafe-eval+WASM+is%3Aissue&type=issues for various projects. Right now, the most universal solution is to put unsafe-eval in the script-src directive, which resolve the issue but is not ideal from a security perspective (though not too much of a major issue for this site). See here for reference: WebAssembly/content-security-policy#7

The ideal next state to get to seems to be a wasm-unsafe-eval directive, outlined here: https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md but it is not well-supported yet. Trackers for wasm-unsafe-eval support being added to various browsers:
kujenga added a commit that referenced this issue Apr 24, 2022
@kujenga
csp: add unsafe-eval directive to allow WASM in all browsers
c94e2c0 
While Firefox does allow for WASM compilation without such directives,
Safari and Chrome do not, so unsafe-eval is the best we can do for now
it seems in order to add universal support. Tracking various things [1]
that will allow for the use of wasm-unsafe-eval instead.

[1] #60
@kujenga kujenga mentioned this issue Apr 24, 2022
Merged
@kujenga kujenga changed the title CSP disallows WASM on Safari, Chroms CSP disallows WASM on Safari, Chrome Apr 24, 2022
@kujenga
Copy link
Owner Author

kujenga commented Apr 24, 2022

Issue is fixed with #61 brought in, but leaving this open as a reminder to switch to wasm-unsafe-eval in the future.

kujenga added a commit that referenced this issue Oct 2, 2023
@kujenga
switch from unsafe-eval to unsafe-wasm-eval
f2d28ef 
Per https://caniuse.com/?search=wasm-unsafe-eval this functionality is
now available in all major browsers, so it seems reasonable to switch
over to it off of the broader CSP allowance.

Closes #60
@kujenga kujenga mentioned this issue Oct 2, 2023
Merged
kujenga added a commit that referenced this issue Oct 2, 2023
@kujenga
switch from unsafe-eval to wasm-unsafe-eval
3d22aaa 
Per https://caniuse.com/?search=wasm-unsafe-eval this functionality is
now available in all major browsers, so it seems reasonable to switch
over to it off of the broader CSP allowance.

Closes #60
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

switch from unsafe-eval to wasm-unsafe-eval kujenga/website
1 participant
@kujenga