Hello Webkit devs

We would like to get an official position on this proposal.

The proposal is to extend the coverage of W3C Content Security Policy (https://www.w3.org/TR/CSP3/) to include WebAssembly modules.

Currently, CSP has an option to manage policy for WebAssembly execution through the 'unsafe-eval' source directive. However, the primary role of that directive is to allow eval in JavaScript.

This change adds a specific source directive 'wasm-unsafe-eval' to CSP that permits an engine to compile and instantiate a wasm module. In addition, the proposal is to extend the coverage of existing script-src directives to include wasm modules downloaded using the fetch API. This would affect instantiateStreaming and compileStreaming.

The link to the proposed changes to CSP is https://github.com/w3c/webappsec-csp/pull/293.

The link to the proposed change in WebAssembly's web API is https://github.com/WebAssembly/content-security-policy/tree/fgm-patch-4

Thank you

Francis McCabe