[webkit-dev] Content Security Policy for WebAssembly
Francis McCabe
fgm at chromium.org
Mon Aug 30 16:42:36 PDT 2021
Hello Webkit devs
We would like to get an official position on this proposal.
The proposal is to extend the coverage of W3C Content Security Policy (
https://www.w3.org/TR/CSP3/) to include WebAssembly modules.
Currently, CSP has an option to manage policy for WebAssembly execution
through the 'unsafe-eval' source directive. However, the primary role of
that directive is to allow eval in JavaScript.
This change adds a specific source directive 'wasm-unsafe-eval' to CSP
that permits an engine to compile and instantiate a wasm module. In
addition, the proposal is to extend the coverage of existing script-src
directives to include wasm modules downloaded using the fetch API. This
would affect instantiateStreaming and compileStreaming.
The link to the proposed changes to CSP is
https://github.com/w3c/webappsec-csp/pull/293.
The link to the proposed change in WebAssembly's web API is
https://github.com/WebAssembly/content-security-policy/tree/fgm-patch-4
Thank you
Francis McCabe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210830/68624215/attachment.htm>
More information about the webkit-dev
mailing list