To give a bit of background, I am a software engineer at Tableau, on our online data visualization tool. We have been targeting WebAssembly for improving visualization interactivity. As part of our security efforts, we have been working on being able to support a restrictive CSP.
Currently chrome disables compileStreaming/instantiateStreaming with CSP on and not allowing 'unsafe-eval'. Other implementations (FF/Safari/Edge) at least allow the streaming versions of the compile/instantiate commands. The 8/8/2017 meeting notes seems to indicate that Chrome is following the original straw proposal. Chrome has implemented 'wasm-eval', but restricted it to apps/extensions.
Either treating the Response object as an origin according to the given CSP or adopting 'wasm-eval' would allow us to move forward.
To give a bit of background, I am a software engineer at Tableau, on our online data visualization tool. We have been targeting WebAssembly for improving visualization interactivity. As part of our security efforts, we have been working on being able to support a restrictive CSP.
Currently chrome disables compileStreaming/instantiateStreaming with CSP on and not allowing 'unsafe-eval'. Other implementations (FF/Safari/Edge) at least allow the streaming versions of the compile/instantiate commands. The 8/8/2017 meeting notes seems to indicate that Chrome is following the original straw proposal. Chrome has implemented 'wasm-eval', but restricted it to apps/extensions.
Either treating the Response object as an origin according to the given CSP or adopting 'wasm-eval' would allow us to move forward.