- From: Krzysztof Kotowicz <koto@google.com>
- Date: Tue, 10 Dec 2019 14:47:10 -0500
- To: Charles Vaughn <cvaughn@gmail.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CAJCw+vu0CUUgOpR0NQtsrc9ESjgf5afMe634fRZoSHFKcNF2rg@mail.gmail.com>
Can you add examples on how that would behave with artificially-created Responses? On Tue, Dec 10, 2019 at 2:19 PM Charles Vaughn <cvaughn@gmail.com> wrote: > Hello webappsec, > > I'm a dev at Tableau, and Mike West pointed me here after a PR I made to > enable this for Chrome. For background, this is the proposal here: > https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md#proposed-wasm-unsafe-eval-directive > > > It would enable the compilation and instantiation of WebAssembly from any > source, but absent an unsafe-eval directive, still prevent the user agent > from executing code via eval and friends. > > At Tableau, we've currently been deploying WebAssembly support, but so far > are just using it in ways that minimize user impact if its unavailable, > such as providing an alternative for server round trips, and animation. As > we look towards taking a bigger step to leveraging WASM, the biggest risk > for us is not being able to take advantage of a tighter CSP. It would be > great if we could see some cross browser consensus on being able to use > WASM without requiring unsafe-eval. > > Thanks, > > Charles V. > -- koto@ / Krzysztof Kotowicz / Google
Received on Tuesday, 10 December 2019 19:47:26 UTC