Intent to Prototype: WebAssembly Content Security Policy
Francis McCabe
Contact emails
ad...@chromium.orgExplainer
https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.mdSpecification
https://github.com/w3c/webappsec-csp/pull/293Summary
Enhancements to Content Security Policy to improve interoperability with WebAssembly.
Blink component
BlinkMotivation
Allows web developers to be more fine grained in their policy wrt executing WebAssembly. Currently, if there is a non-empty CSP policy for a page, the unsafe-eval policy must be enabled. This allows a developer to use wasm-unsafe-eval that only allows webassembly execution and has no impact on javaScript execution. In addition, the proposal is to extend existing CSP script-src policies to include webassembly. Since WebAssembly does not have an element tag, this will be, initially, to apply script-src policies to the relevant API calls: WebAssembly.instantiateStreaming etc.
Initial public proposal
https://github.com/w3c/webappsec-csp/pull/293Search tags
wasm, webassembly, cspTAG review
Not neededTAG review status
Risks
Interoperability and Compatibility
Gecko:
WebKit: see https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html
Web developers:
Debuggability
Is this feature fully tested by web-platform-tests?
YesFlag name
Requires code in //chrome?
FalseTracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=841404Estimated milestones
Link to entry on the Chrome Platform Status
https://www.chromestatus.com/feature/5499765773041664
Yoav Weiss
Contact emails
ad...@chromium.orgf...@chromium.orgExplainer
https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.mdSpecification
https://github.com/w3c/webappsec-csp/pull/293Summary
Enhancements to Content Security Policy to improve interoperability with WebAssembly.
Blink component
BlinkMotivation
Allows web developers to be more fine grained in their policy wrt executing WebAssembly. Currently, if there is a non-empty CSP policy for a page, the unsafe-eval policy must be enabled. This allows a developer to use wasm-unsafe-eval that only allows webassembly execution and has no impact on javaScript execution. In addition, the proposal is to extend existing CSP script-src policies to include webassembly. Since WebAssembly does not have an element tag, this will be, initially, to apply script-src policies to the relevant API calls: WebAssembly.instantiateStreaming etc.
Initial public proposal
https://github.com/w3c/webappsec-csp/pull/293Search tags
wasm, webassembly, cspTAG review
Not needed
TAG review status
Risks
Interoperability and Compatibility
Gecko:https://github.com/mozilla/standards-positions/issues/574#
WebKit: see https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html
Web developers:Debuggability
Is this feature fully tested by web-platform-tests?
YesFlag name
Requires code in //chrome?
FalseTracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=841404Estimated milestones
Link to entry on the Chrome Platform Status
https://www.chromestatus.com/feature/5499765773041664This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB-%3DsKJUpiXcZ2jBGZaQ_yAXWOUdO2Jt1mKA3whP7ZqdA%40mail.gmail.com.
Francis McCabe
Adam Klein
The proposed change is very small and not 'architectural'. The proposal adds a new policy keyword to CSP and extends the role (slightly) of script-src itself.On Thu, Sep 2, 2021 at 6:43 AM Yoav Weiss <yoav...@chromium.org> wrote:On Wed, Sep 1, 2021 at 9:00 PM Francis McCabe <f...@chromium.org> wrote:Contact emails
ad...@chromium.orgf...@chromium.orgExplainer
https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.mdSpecification
https://github.com/w3c/webappsec-csp/pull/293Summary
Enhancements to Content Security Policy to improve interoperability with WebAssembly.
Blink component
BlinkMotivation
Allows web developers to be more fine grained in their policy wrt executing WebAssembly. Currently, if there is a non-empty CSP policy for a page, the unsafe-eval policy must be enabled. This allows a developer to use wasm-unsafe-eval that only allows webassembly execution and has no impact on javaScript execution. In addition, the proposal is to extend existing CSP script-src policies to include webassembly. Since WebAssembly does not have an element tag, this will be, initially, to apply script-src policies to the relevant API calls: WebAssembly.instantiateStreaming etc.
Initial public proposal
https://github.com/w3c/webappsec-csp/pull/293Search tags
wasm, webassembly, cspTAG review
Not neededCan you expand on why you think a TAG review is not needed?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB%3DEH%3Dop6WeRX92z5VgLz1DOwnHPvcusV2pXnm6dEkLMg%40mail.gmail.com.