wasm icon indicating copy to clipboard operation
wasm copied to clipboard

Published 20 hours ago verified publisher icon polkadot-js

`wasm-crypto` not loading in environments where `wasm-unsafe-eval` CSP is not allowed

Open krhougs opened this issue 1 year ago • 2 comments

TL;DR

Please change current dynamic loading codes to simply import wasmBytes from "path/to.wasm" in the production bundle to make the library work in secure environments.

I am trying to sign payloads within a Cloudflare Worker. The runtime refuses loading the wasm bytes in memory since the CSP policy wasm-unsafe-eval is not allowed in the runtime. After some research, I found that this affects multiple scenarios:

  • Electron where dynamic evaluating is blocked by default
  • Browser environments that blocks wasm-unsafe-eval explicitly
  • Node.js environments that blocks wasm-unsafe-eval explicitly

I appreciate the current dynamic façon to keep the bundle tiny in size, but it won't work in some secure environments.

Some reading: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md

Expected: the library should load Current: FATAL: Unable to initialize @polkadot/wasm-crypto:: WebAssembly.instantiate(): Wasm code generation disallowed by embedder

This happens in ANY Environment where wasm-unsafe-eval is not allowed

  • Environment:

    • [x] Node.js
    • [x] Browser
    • [x] Other (limited support for other environments)

krhougs avatar Aug 22 '23 09:08 krhougs