spec icon indicating copy to clipboard operation
spec copied to clipboard

Published 20 hours ago verified publisher icon WebAssembly

[js-api] Needs to integrate with CSP

Open annevk opened this issue 4 years ago • 14 comments

It seems that https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md hasn't been integrated here yet, but https://w3c.github.io/webappsec-csp/#can-compile-wasm-bytes does exist.

@antosart @fgmccabe

annevk avatar Nov 09 '21 14:11 annevk

what do you mean by 'integrated'?

fgmccabe avatar Nov 09 '21 18:11 fgmccabe

Well, where is EnsureCSPDoesNotBlockWasmByteCompilation invoked? It seems https://webassembly.github.io/spec/js-api/ has to do that, no?

annevk avatar Nov 10 '21 08:11 annevk

I will take a look at this. I thought it was done but something 'went wrong' with git when I merged upstream.

fgmccabe avatar Nov 11 '21 17:11 fgmccabe

I am now crafting an appropriate algorithm.

fgmccabe avatar Nov 12 '21 21:11 fgmccabe

@fgmccabe Hi! I am starting to look into implementing this in Firefox, has there been any update here?

evilpie avatar Mar 21 '22 11:03 evilpie

wasm-unsafe-eval shipped in chrome 97. What additional information are you looking for?

fgmccabe avatar Mar 21 '22 15:03 fgmccabe

As far as I can tell https://webassembly.github.io/spec/js-api/ doesn't include any references to EnsureCSPDoesNotBlockWasmByteCompilation yet.

evilpie avatar Mar 21 '22 16:03 evilpie

It has not been standardized yet. You need to look at https://github.com/WebAssembly/content-security-policy for the CSP stuff, and https://github.com/WebAssembly/content-security-policy/tree/main/document/web-api and https://github.com/WebAssembly/content-security-policy/pull/40 in particular. (The latter represents unfinished business at the moment)

fgmccabe avatar Mar 21 '22 22:03 fgmccabe

What's the holdup with getting it standardized on the Wasm side? It's certainly standardized on the CSP side, though that was on the presumption it would be here as well.

annevk avatar Mar 22 '22 07:03 annevk

A combination of factors:

  1. It is currently in stage 3 of the process (the standards process is different for wasm & CSP)
  2. In order to get to stage 4, we will need a second implementation. (Which is where you come in :))
  3. Some laziness/lack of prioritization on my part
  4. I have recently been focusing on fixing a CSP/wasm issue with extensions manifest V3

fgmccabe avatar Mar 22 '22 15:03 fgmccabe

For 2 it would help to have some clarity with respect to what to implement though.

annevk avatar Apr 04 '22 12:04 annevk

wasm-unsafe-eval?

fgmccabe avatar Apr 04 '22 15:04 fgmccabe

Yes and in particular how it interacts with the Wasm APIs.

annevk avatar Apr 05 '22 06:04 annevk

You can see a draft of the wasm proposal at https://webassembly.github.io/content-security-policy/

fgmccabe avatar Apr 07 '22 21:04 fgmccabe