libsodium.js icon indicating copy to clipboard operation
libsodium.js copied to clipboard

Published 20 hours ago verified publisher icon jedisct1

Webassembly (and this library) is forbidden in Chrome extension manifest V3

Open KatarinaSimnova opened this issue 3 years ago • 7 comments

Hello, we use this library in our browser extension. Chrome revealed Manifest V3 (new extension platform version) and is about to end support for Manifest V2. In Manifest V3, Webassembly is forbidden for security reasons. Now we are in quite a tough situation, we need javascript libsodium library that does not use Webassembly to be able to smoothly migrate to the Manifest V3 version without damaging our product.

Would it be possible for you to create a non-wasm version of this library? So that browser extension developers can continue to use this awesome library. While there is not a sufficient replacement for this library. We can't just downgrate libsodium wrapper to version 0.5.4 (without wasm) because it does not contain all the crypto functions we need (for example ARGON2ID password hashing algorithm). So we would probably need the newest version of C libsodium library with an old js wrapper without wasm.

KatarinaSimnova avatar Jan 16 '22 12:01 KatarinaSimnova

Hi!

libsodium.js still bundles the JavaScript version in addition to the WebAssembly version.

If an exception is returned when used in a Chrome extension, the wasm support detection code is likely to be the culprit: https://github.com/jedisct1/libsodium/blob/7d67f1909bfa6e1225469dbcdb0229c5a9bbf8e2/dist-build/emscripten.sh#L86-L143

Do you know what changes should be made to that code in order to have the JS version (the "backup module") used in the context of a Chrome extension?

jedisct1 avatar Jan 16 '22 20:01 jedisct1

Manifest v3 replaces "background page" with service worker and disallows wasm-eval in Content Security Policy.

This is the error when libsodium loads inside extension's service worker: image

scholtzm avatar Jan 17 '22 11:01 scholtzm

Ok, the problem is on our side. We use MEMLIMIT_INTERACTIVE in the crypto_pwhash function. While in webassembly it runs smoothly, in javascript it does not work at all (returns an empty buffer). Which makes our migration quite problematic. But this is probably not something you can help us with. Therefore, thank you very much for your quick response, this issue can be closed.

KatarinaSimnova avatar Jan 21 '22 19:01 KatarinaSimnova

Hi, @scholtzm do you resolve this problem? I have the same problem.

andybin-cdc avatar Mar 25 '22 10:03 andybin-cdc

Hi, @scholtzm do you resolve this problem? I have the same problem.

Haven't solved the issue yet. Ideally, Chromium should allow wasm in Mv3 the same way it works in Mv2.

@jedisct1 Is there any workaround for the issue with MEMLIMIT_INTERACTIVE mentioned in the comment above?

edit. Seems like wasm functionality has been restored in Mv3 since Chromium v102. You can test it out in latest Chrome Canary.

scholtzm avatar Apr 11 '22 12:04 scholtzm

Hi all, we are having a similar issue and getting the same error. I see that it works in Chrome Canary, but we are hesitant to use it still as we will release the extension on Chrome.

Does Canary having this imply that Chrome will adapt this in close future?

LeventCelik avatar May 07 '22 18:05 LeventCelik

@LeventCelik Stable release is planned for Tue, May 24, 2022.

scholtzm avatar May 08 '22 19:05 scholtzm