[Webkit-unassigned] [Bug 257048] New: CSP: Support origins and hashes for WebAssembly
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 19 13:18:05 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=257048
Bug ID: 257048
Summary: CSP: Support origins and hashes for WebAssembly
Product: WebKit
Version: Safari 16
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebAssembly
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rob at agilebits.com
My hopes for Bug 173105 were high, but sadly the only way to permit WASM in a CSP is still with either `unsafe-eval` or `wasm-unsafe-eval` (added with Bug 235408). That means that the strictest a developer can get with the CSP is to say that either all WASM or no WASM can be run. As with JavaScript, though, we (1Password) would like to limit what WASM can be run on our domain, either by request origin (for WASM streaming APIs) or by SRI hash (streaming or not).
The original proposal for this can be found here: https://github.com/WebAssembly/content-security-policy/blob/57b7b528bb5723b37e50497348e0432a7ad65c70/proposals/CSP.md#proposed-origin-bound-permission
Unfortunately, the current version of the proposal has backtracked to remove the parts about binding to the request origin or SRI hash, replacing them with a commentary on the suitability of "script-src": https://github.com/WebAssembly/content-security-policy/blob/dd75e5ba3d31aa50cda1216e7ae15170c72ce7c7/proposals/CSP.md#using-existing-csp-script-src-policies
I see the value in using a new directive like "wasm-src" instead of "script-src", but that doesn't change the need for _some_ way to bind to an origin or hash.
This issue is the WebKit counterpart to https://bugs.chromium.org/p/chromium/issues/detail?id=961485.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230519/85719b86/attachment-0001.htm>
More information about the webkit-unassigned
mailing list