- From: Charles Vaughn <cvaughn@gmail.com>
- Date: Tue, 10 Dec 2019 10:00:02 -0800
- To: public-webappsec@w3.org
- Message-ID: <CAA7P56BW-t6zOyFhXuSX9EtOBQ+a+qCgyo9PKd3N57HQNDXLXg@mail.gmail.com>
Hello webappsec, I'm a dev at Tableau, and Mike West pointed me here after a PR I made to enable this for Chrome. For background, this is the proposal here: https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md#proposed-wasm-unsafe-eval-directive It would enable the compilation and instantiation of WebAssembly from any source, but absent an unsafe-eval directive, still prevent the user agent from executing code via eval and friends. At Tableau, we've currently been deploying WebAssembly support, but so far are just using it in ways that minimize user impact if its unavailable, such as providing an alternative for server round trips, and animation. As we look towards taking a bigger step to leveraging WASM, the biggest risk for us is not being able to take advantage of a tighter CSP. It would be great if we could see some cross browser consensus on being able to use WASM without requiring unsafe-eval. Thanks, Charles V.
Received on Tuesday, 10 December 2019 19:18:00 UTC