[webkit-dev] Content Security Policy for WebAssembly

Francis McCabe fgm at chromium.org
Mon Aug 30 16:42:36 PDT 2021

Hello Webkit devs
  We would like to get an official position on this proposal.
  The proposal is to extend the coverage of W3C Content Security Policy (
https://www.w3.org/TR/CSP3/) to include WebAssembly modules.
  Currently, CSP has an option to manage policy for WebAssembly execution
through the 'unsafe-eval' source directive. However, the primary role of
that directive is to allow eval in JavaScript.
 This change adds a specific source directive 'wasm-unsafe-eval' to CSP
that permits an engine to compile and instantiate a wasm module. In
addition, the proposal is to extend the coverage of existing script-src
directives to include wasm modules downloaded using the fetch API. This
would affect instantiateStreaming and compileStreaming.

The link to the proposed changes to CSP is
The link to the proposed change in WebAssembly's web API is

Thank you
Francis McCabe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210830/68624215/attachment.htm>

More information about the webkit-dev mailing list