patch: Add dynamic execution flag to emcc build to allow for wasm-unsafe-eval in csp

[zplata]

Should help address #131

If folks set CSP policies that block unsafe-eval scripts (i.e use of new Function() or eval()), they may have issues rendering Rives because our WASM (built using Emscripten) that has binding code to JS includes some new Function() code as part of Emscripten's inner-workings around binding. There's some effort on Emscripten's side to remove some of these pieces, but the guidance for consumers as seen in this issue is to allow wasm-unsafe-eval in the CSP. This alone however still doesn't solve everything. We need to set this DYNAMIC_EXECUTION=0 flag to prevent the use of new Function() or eval() in Emscripten's native binding code during build. The pairing of this fix in our WASM build setup, and the consumer setting wasm-unsafe-eval should get Rives running in web apps if it were blocked before. While not perfect, it's better than setting unsafe-eval for sure as a content policy.

If this takes, we'll document this in our JS runtimes gitbook section

[csmartdalton]

Could you add a note about what is causing this error in Rive, and what it means for our code to enable wasm-unsafe-eval? I read that and it sounds scary to enable 😱

[zplata]

@csmartdalton yeah good point! Sorry, didn't really document the issue clearly. I updated the description.

We're not enabling any wasm-unsafe-eval on our side; this is a CSP policy attribute set from the user side of things on their web apps if they decide to set content security policies so that their apps aren't blocking our WASM from running

[csmartdalton]

Thanks for clarifying! I understand what's going on now