WebAssembly / spec

WebAssembly specification, reference interpreter, and test suite.
https://webassembly.github.io/spec/
Other
3.15k stars 450 forks source link

[js-api] Needs to integrate with CSP #1393

Open annevk opened 2 years ago

annevk commented 2 years ago

It seems that https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md hasn't been integrated here yet, but https://w3c.github.io/webappsec-csp/#can-compile-wasm-bytes does exist.

@antosart @fgmccabe

fgmccabe commented 2 years ago

what do you mean by 'integrated'?

annevk commented 2 years ago

Well, where is EnsureCSPDoesNotBlockWasmByteCompilation invoked? It seems https://webassembly.github.io/spec/js-api/ has to do that, no?

fgmccabe commented 2 years ago

I will take a look at this. I thought it was done but something 'went wrong' with git when I merged upstream.

fgmccabe commented 2 years ago

I am now crafting an appropriate algorithm.

evilpie commented 2 years ago

@fgmccabe Hi! I am starting to look into implementing this in Firefox, has there been any update here?

fgmccabe commented 2 years ago

wasm-unsafe-eval shipped in chrome 97. What additional information are you looking for?

evilpie commented 2 years ago

As far as I can tell https://webassembly.github.io/spec/js-api/ doesn't include any references to EnsureCSPDoesNotBlockWasmByteCompilation yet.

fgmccabe commented 2 years ago

It has not been standardized yet. You need to look at https://github.com/WebAssembly/content-security-policy for the CSP stuff, and https://github.com/WebAssembly/content-security-policy/tree/main/document/web-api and https://github.com/WebAssembly/content-security-policy/pull/40 in particular. (The latter represents unfinished business at the moment)

annevk commented 2 years ago

What's the holdup with getting it standardized on the Wasm side? It's certainly standardized on the CSP side, though that was on the presumption it would be here as well.

fgmccabe commented 2 years ago

A combination of factors:

  1. It is currently in stage 3 of the process (the standards process is different for wasm & CSP)
  2. In order to get to stage 4, we will need a second implementation. (Which is where you come in :))
  3. Some laziness/lack of prioritization on my part
  4. I have recently been focusing on fixing a CSP/wasm issue with extensions manifest V3
annevk commented 2 years ago

For 2 it would help to have some clarity with respect to what to implement though.

fgmccabe commented 2 years ago

wasm-unsafe-eval?

annevk commented 2 years ago

Yes and in particular how it interacts with the Wasm APIs.

fgmccabe commented 2 years ago

You can see a draft of the wasm proposal at https://webassembly.github.io/content-security-policy/