[Webkit-unassigned] [Bug 257048] New: CSP: Support origins and hashes for WebAssembly

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 19 13:18:05 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=257048

            Bug ID: 257048
           Summary: CSP: Support origins and hashes for WebAssembly
           Product: WebKit
           Version: Safari 16
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rob at agilebits.com

My hopes for Bug 173105 were high, but sadly the only way to permit WASM in a CSP is still with either `unsafe-eval` or `wasm-unsafe-eval` (added with Bug 235408). That means that the strictest a developer can get with the CSP is to say that either all WASM or no WASM can be run. As with JavaScript, though, we (1Password) would like to limit what WASM can be run on our domain, either by request origin (for WASM streaming APIs) or by SRI hash (streaming or not).

The original proposal for this can be found here: https://github.com/WebAssembly/content-security-policy/blob/57b7b528bb5723b37e50497348e0432a7ad65c70/proposals/CSP.md#proposed-origin-bound-permission

Unfortunately, the current version of the proposal has backtracked to remove the parts about binding to the request origin or SRI hash, replacing them with a commentary on the suitability of "script-src": https://github.com/WebAssembly/content-security-policy/blob/dd75e5ba3d31aa50cda1216e7ae15170c72ce7c7/proposals/CSP.md#using-existing-csp-script-src-policies

I see the value in using a new directive like "wasm-src" instead of "script-src", but that doesn't change the need for _some_ way to bind to an origin or hash.

This issue is the WebKit counterpart to https://bugs.chromium.org/p/chromium/issues/detail?id=961485.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230519/85719b86/attachment-0001.htm>

More information about the webkit-unassigned mailing list