chore: add new csp rules to allow unzipping files

[JammingBen]

Description

Adds these 2 CSP rules to our dev setup to make unzipping via wasm work:

• child-src: blob
• script-src: wasm-unsafe-eval

Tbh I'm not sure how "unsafe" the second rule is... but AFAIK it's needed for wasm to work. If that isn't an option, we need to look for a different library for unzipping.

Related Issue

• Works towards https://github.com/owncloud/web/issues/11264

Types of changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)
• [x] Technical debt
• [ ] Tests
• [ ] Documentation
• [ ] Maintenance (e.g. dependency updates or tooling)

[update-docs[bot]]

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

[JammingBen]

@DeepDiver1975 Do you have an opinion about the second CSP rule script-src: wasm-unsafe-eval? Is it generally "safe" to use, or should it be avoided?

[DeepDiver1975]

from my pov it is as unsafe as unsafe-inline and from my understanding both shall be avoided.

I have little understanding if there is a proper way to make things work without wasm-unsafe-eval.

Usually there is a way to make things work without specing unsafe CSPs - no idea about wasm.

It might be worth to spend some time to research into this and potentially reach out to the libarchive project.

[JammingBen]

Thanks for the feedback! I'll do a little more research then and check potential other libs.

[JammingBen]

I've found another lib that seems to be suitable, hence closing here. Let's be on the safe side.