Closed zplata closed 1 year ago
Could you add a note about what is causing this error in Rive, and what it means for our code to enable wasm-unsafe-eval
? I read that and it sounds scary to enable 😱
@csmartdalton yeah good point! Sorry, didn't really document the issue clearly. I updated the description.
We're not enabling any wasm-unsafe-eval
on our side; this is a CSP policy attribute set from the user side of things on their web apps if they decide to set content security policies so that their apps aren't blocking our WASM from running
Should help address https://github.com/rive-app/rive-wasm/issues/131
If folks set CSP policies that block
unsafe-eval
scripts (i.e use ofnew Function()
oreval()
), they may have issues rendering Rives because our WASM (built using Emscripten) that has binding code to JS includes somenew Function()
code as part of Emscripten's inner-workings around binding. There's some effort on Emscripten's side to remove some of these pieces, but the guidance for consumers as seen in this issue is to allowwasm-unsafe-eval
in the CSP. This alone however still doesn't solve everything. We need to set thisDYNAMIC_EXECUTION=0
flag to prevent the use ofnew Function()
oreval()
in Emscripten's native binding code during build. The pairing of this fix in our WASM build setup, and the consumer settingwasm-unsafe-eval
should get Rives running in web apps if it were blocked before. While not perfect, it's better than settingunsafe-eval
for sure as a content policy.If this takes, we'll document this in our JS runtimes gitbook section