- From: Charles Vaughn <cvaughn@gmail.com>
- Date: Tue, 10 Dec 2019 11:57:24 -0800
- To: Krzysztof Kotowicz <koto@google.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CAA7P56DXLGCaGVbeuzHkx=+iL2WEOjT7F18Z_urpQFn1AJOkKQ@mail.gmail.com>
Not sure I understand what you mean? The proposal at https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md#csp-policy-application-summary has a matrix on expected behavior of the WebAssembly APIs and eval with the different flags. On Tue, Dec 10, 2019 at 11:47 AM Krzysztof Kotowicz <koto@google.com> wrote: > Can you add examples on how that would behave with artificially-created > Responses? > > On Tue, Dec 10, 2019 at 2:19 PM Charles Vaughn <cvaughn@gmail.com> wrote: > >> Hello webappsec, >> >> I'm a dev at Tableau, and Mike West pointed me here after a PR I made to >> enable this for Chrome. For background, this is the proposal here: >> https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md#proposed-wasm-unsafe-eval-directive >> >> >> It would enable the compilation and instantiation of WebAssembly from any >> source, but absent an unsafe-eval directive, still prevent the user agent >> from executing code via eval and friends. >> >> At Tableau, we've currently been deploying WebAssembly support, but so >> far are just using it in ways that minimize user impact if its unavailable, >> such as providing an alternative for server round trips, and animation. As >> we look towards taking a bigger step to leveraging WASM, the biggest risk >> for us is not being able to take advantage of a tighter CSP. It would be >> great if we could see some cross browser consensus on being able to use >> WASM without requiring unsafe-eval. >> >> Thanks, >> >> Charles V. >> > > > -- > koto@ / Krzysztof Kotowicz / Google >
Received on Tuesday, 10 December 2019 19:57:38 UTC