Re: wasm-unsafe-eval script-src directive

Can you add examples on how that would behave with artificially-created
Responses?

On Tue, Dec 10, 2019 at 2:19 PM Charles Vaughn <cvaughn@gmail.com> wrote:

> Hello webappsec,
>
> I'm a dev at Tableau, and Mike West pointed me here after a PR I made to
> enable this for Chrome. For background, this is the proposal here:
> https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md#proposed-wasm-unsafe-eval-directive
>
>
> It would enable the compilation and instantiation of WebAssembly from any
> source, but absent an unsafe-eval directive, still prevent the user agent
> from executing code via eval and friends.
>
> At Tableau, we've currently been deploying WebAssembly support, but so far
> are just using it in ways that minimize user impact if its unavailable,
> such as providing an alternative for server round trips, and animation. As
> we look towards taking a bigger step to leveraging WASM, the biggest risk
> for us is not being able to take advantage of a tighter CSP. It would be
> great if we could see some cross browser consensus on being able to use
> WASM without requiring unsafe-eval.
>
> Thanks,
>
> Charles V.
>


-- 
koto@ / Krzysztof Kotowicz / Google

Received on Tuesday, 10 December 2019 19:47:26 UTC