WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
257048
CSP: Support origins and hashes for WebAssembly
https://bugs.webkit.org/show_bug.cgi?id=257048
Summary
CSP: Support origins and hashes for WebAssembly
Rob
Reported
2023-05-19 13:18:05 PDT
My hopes for
Bug 173105
were high, but sadly the only way to permit WASM in a CSP is still with either `unsafe-eval` or `wasm-unsafe-eval` (added with
Bug 235408
). That means that the strictest a developer can get with the CSP is to say that either all WASM or no WASM can be run. As with JavaScript, though, we (1Password) would like to limit what WASM can be run on our domain, either by request origin (for WASM streaming APIs) or by SRI hash (streaming or not). The original proposal for this can be found here:
https://github.com/WebAssembly/content-security-policy/blob/57b7b528bb5723b37e50497348e0432a7ad65c70/proposals/CSP.md#proposed-origin-bound-permission
Unfortunately, the current version of the proposal has backtracked to remove the parts about binding to the request origin or SRI hash, replacing them with a commentary on the suitability of "script-src":
https://github.com/WebAssembly/content-security-policy/blob/dd75e5ba3d31aa50cda1216e7ae15170c72ce7c7/proposals/CSP.md#using-existing-csp-script-src-policies
I see the value in using a new directive like "wasm-src" instead of "script-src", but that doesn't change the need for _some_ way to bind to an origin or hash. This issue is the WebKit counterpart to
https://bugs.chromium.org/p/chromium/issues/detail?id=961485
.
Attachments
Add attachment
proposed patch, testcase, etc.
Anne van Kesteren
Comment 1
2023-05-22 10:48:44 PDT
This is a reasonable request, but ideally the standard changes first. From a quick search through
https://github.com/w3c/webappsec-csp/issues
it appears this isn't being discussed. I recommend starting a discussion there.
Radar WebKit Bug Importer
Comment 2
2023-05-26 13:19:17 PDT
<
rdar://problem/109902189
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug