electron-wasm-rust-example icon indicating copy to clipboard operation
electron-wasm-rust-example copied to clipboard
verified publisher icon anderejd

`unsafe-eval` chromium workaround

Open anderejd opened this issue 6 years ago • 3 comments

It would be nice to get rid of this warning:

VM92 security-warnings.js:170 Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security
    Policy set or a policy with "unsafe-eval" enabled. This exposes users of
    this app to unnecessary security risks.
 
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
 This warning will not show up
once the app is packaged.

The cause of this is documented in index.html:

<!DOCTYPE html>
<html>
  <head>
    <base href="app://./" />
    
    <!--
      'unsafe-eval' is required because of a Chrome bug(?) that disallows
      loading WASM from 'self'.
      
      https://github.com/anderejd/electron-wasm-rust-example/issues/6
      https://github.com/WebAssembly/content-security-policy/issues/7
      https://bugs.chromium.org/p/chromium/issues/detail?id=948834&can=1&q=wasm-eval
    -->
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' app: 'unsafe-eval'; object-src 'self' app:;">

    <meta content="text/html;charset=utf-8" http-equiv="Content-Type"/>
    <link rel="stylesheet" type="text/css" href="style.css">
  </head>
  <body>
  <script type="module" src="./main_module.js"></script>
  </body>
</html>

Hopefully a future chromium update will allow loading WebAssembly without 'unsafe-eval'.

  • https://github.com/WebAssembly/content-security-policy/issues/7
  • https://bugs.chromium.org/p/chromium/issues/detail?id=948834&can=1&q=wasm-eval

anderejd avatar Apr 12 '19 07:04 anderejd

I have spent an hour or two looking into this and it seems like loading wasm from the same origin, like any other resource really should be allowed but are not in chromium, for unclear reasons.

Why would the Same-origin policy not apply to WebAssembly? And why only in chromium?

https://bugs.chromium.org/p/chromium/issues/detail?id=948834#c6 See, comment #6. It seems to indicate that chromium developers are looking into this:

Comment 6 by on Owner: [email protected] Status: Assigned (was: Unconfirmed)

However, this https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md seems to indicate that chromium might consider the need for 'unsafe-eval' as a feature.

anderejd avatar Apr 12 '19 08:04 anderejd

This comment resonates with my current impression of this issue:

What is the reason Chromium can't allow loading of wasm modules from same-origin Response objects?

https://github.com/WebAssembly/content-security-policy/issues/7#issuecomment-441259729

anderejd avatar Apr 12 '19 08:04 anderejd

TODO: Experiment with some more combinations of settings for CSP in hope of finding a clean workaround, without warnings and security holes, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

anderejd avatar Apr 12 '19 12:04 anderejd