-
-
Notifications
You must be signed in to change notification settings - Fork 836
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
extension: Change unsafe-eval to wasm-eval in CSP #6026
Conversation
650c809
to
9c475ec
Compare
What's the status in Firefox (edit: and Safari)? On MDN, it's not mentioned at all. |
Also, does this affect #2201 in any way? (I guess not, since it's more about code injection?) |
Confusingly this was renamed to Firefox allowed the WebAssembly instantiation regardless of Not sure about Safari and #2201 -- I expect there to be no changes here. Can someone test? |
Did some testing. Here's the behavior of the Ruffle extension, which is the same both before this PR (
I'm still not totally sure why the SWF URL case in Chrome works with Footnotes
|
9c475ec
to
c519c96
Compare
|
That does seem to match the commit message. Presumably it was necessary for backwards compatibly I'm guessing (so preexisting extensions using wasm-eval would still work): https://chromium.googlesource.com/chromium/src/+/791c8335079bbe7abe7a1b7b6251317ec62b2563 Edit: See also https://groups.google.com/a/chromium.org/g/blink-dev/c/5U_SgZ3r8QI/m/oRyGAsZOBgAJ:
|
It should be ignored according to this, but I didn't verify: https://bugzilla.mozilla.org/show_bug.cgi?id=1282978 |
It looks like Chrome has supported I am still considering adding |
c519c96
to
0fcde05
Compare
Firefox does display a warning on unknown CSP directives, so indeed I decided to inject |
`unsafe-eval` was needed in the extension Content Security Policy to Wasm compilation in Chrome. This CSP setting causes the extension to get flagged in the Mozilla Add-On Marketplace, which discourages the use of `unsafe-eval`. However, Chrome has a `wasm-eval` CSP setting which also allows extensions to compile Wasm without requiring `unsafe-eval`. Inject this into the extension manifest when building the Chrome extension. Eventually this may change to `wasm-unsafe-eval` as drafted by the CSP spec and be required by all browsers.
0fcde05
to
0073dbf
Compare
Hi there, my team is also paying close attention to the developments with |
In Chrome,
unsafe-eval
was needed in the extension Content Security Policy for Wasm compilation. Other browsers seemed to work regardless of this setting.Unfortunately, this CSP setting causes the extension to get flagged in the Mozilla Add-On Marketplace, which discourages the use of
unsafe-eval
. Chrome specifically has awasm-eval
for allowing Wasm in extensions, so let's switch to that instead.The CSP spec has added a
wasm-unsafe-eval
setting, and Chrome will deprecatewasm-eval
eventually; we may need this for all browsers as they start to support it.w3c/webappsec-csp#293