rugk

So as it seems this question has been answered and I thus close this issue. If anyone has further questions on that topic, feel free to comment here, again.

Oh yeah, seems you have some good points there… :thinking:

> it is up to the application to validate loaded configuration. Digesting an incorrect one and allowing itself to run in a partially broken (hence hard to diagnose) state is...

Interesting, there is a new [`strict-dynamic`](https://content-security-policy.com/strict-dynamic/) thing in CSPv3 that – as far as I understand it – let's one script load any other scripts. I'm still thinking of whether...

And [there is more crazy (experimental) stuff](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for) ([again found via Googles CSP tool](https://csp-evaluator.withgoogle.com/?csp=https://privatebin.net)), but that seems to look like a better solution for `unsafe-eval`, which we only include, because of...

Regarding [`unsafe-eval` the Matrix Element client has the same issue and someone suggested](https://github.com/vector-im/element-web/issues/12262#issuecomment-864274860) this: > Using `WebAssembly.instantiateStreaming` would avoid this problem.

Also [the docs](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/instantiateStreaming) for this say: > This is the most efficient, optimized way to load wasm code. So would likely not be a bad idea to use this altogether…

Opened a new issue for that, so we can keep this “meta-issue” here and fix that WebAssembly loading: https://github.com/PrivateBin/PrivateBin/issues/814

We do use [prettify](https://github.com/google/code-prettify) for syntax highlighting. It does also say, it powers e.g. Stackoverflow there. So can you reproduce the bug there, too? In any case, we may upgrade...

Code to reproduce: ``` import os helpstring = '''sss bla okay newline hkjhjas don't end it here''' ```  v1.3.3