polkadot-js / wasm

A collection of WASM wrappers (mostly around Rust libraries) that are used as faster versions of JS-native functions on Polkadot and Substrate networks.
Apache License 2.0
129 stars 37 forks source link

`wasm-crypto` not loading in environments where `wasm-unsafe-eval` CSP is not allowed #538

Open krhougs opened 1 year ago

krhougs commented 1 year ago

TL;DR

Please change current dynamic loading codes to simply import wasmBytes from "path/to.wasm" in the production bundle to make the library work in secure environments.

I am trying to sign payloads within a Cloudflare Worker. The runtime refuses loading the wasm bytes in memory since the CSP policy wasm-unsafe-eval is not allowed in the runtime. After some research, I found that this affects multiple scenarios:

I appreciate the current dynamic façon to keep the bundle tiny in size, but it won't work in some secure environments.

Some reading: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md

Expected: the library should load Current: FATAL: Unable to initialize @polkadot/wasm-crypto:: WebAssembly.instantiate(): Wasm code generation disallowed by embedder

This happens in ANY Environment where wasm-unsafe-eval is not allowed

uno-b commented 1 year ago

I'm creating an extension and having the same problem. Defining "wasm-unsafe-eval" in my Manifest.v2 fixes my problem, but not in Manifest.v3 because of the security changes. So it's only a temporary solution.

krhougs commented 1 year ago

@jacogr