The current WASM build generates a loader that uses new Function(), which performs a Javascript eval. This is problematic if you want to use a CSP on your site that does not allow unsafe-eval - in other words, if you want to use the transcoder, you're forced to enable eval on your site, which is a security risk.
The NO_DYNAMIC_EXECUTION flag can be used to disable the dynamic execution facilities of the module, which avoids the use of eval but drops support for a few emscripten functions (https://github.com/emscripten-core/emscripten/blob/main/src/settings.js#L1256) which seem unneeded for Basis's use cases. (I may be wrong about this, so hope the PR reviewer can confirm.)
This PR enables this option which re-enables site admins to disable eval on sites which use the basis transcoder.
The current WASM build generates a loader that uses
new Function(), which performs a Javascripteval. This is problematic if you want to use a CSP on your site that does not allowunsafe-eval- in other words, if you want to use the transcoder, you're forced to enableevalon your site, which is a security risk.The
NO_DYNAMIC_EXECUTIONflag can be used to disable the dynamic execution facilities of the module, which avoids the use of eval but drops support for a few emscripten functions (https://github.com/emscripten-core/emscripten/blob/main/src/settings.js#L1256) which seem unneeded for Basis's use cases. (I may be wrong about this, so hope the PR reviewer can confirm.)This PR enables this option which re-enables site admins to disable
evalon sites which use the basis transcoder.Thanks for considering the PR!