Firefox Nightly now supports/enforces 'wasm-unsafe-eval' from Daniel Veditz on 2022-05-20 (public-webappsec@w3.org from May 2022)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 20 May 2022 13:51:11 -0700
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADYDTCBcF1Wmzikj0kVpKGOB1MN+o=8o0+Q-xOveT8novFgJRg@mail.gmail.com>

Starting with the current Firefox Nightly, Firefox has implemented the
Content-security-policy feature described in section 4.5, "Integration
with WebAssembly". Contexts that use WASM and have an enforced CSP
will need to specify 'unsafe-eval' or the new 'wasm-unsafe-eval' if
they have a script-src or default-src directive.

This will ship with Firefox 102 in July if all goes well.

Chrome has required 'unsafe-eval' for WASM for a long time and has
supported 'wasm-unsafe-eval' since Chrome 97. Support for
'wasm-unsafe-eval' appears to have landed in webkit nightly recently
as well, though I don't know what their release plans for it are.

There are lots of links to more detail in the forwarded mail below for
those interested

-Dan Veditz

---------- Forwarded message ---------
From: Tom Schuster <tschuster@mozilla.com>
Date: Fri, May 20, 2022 at 7:14 AM
Subject: Re: [dev-platform] Intent to prototype and ship:
wasm-unsafe-eval Content-Security-Policy directive
To: dev-platform@mozilla.org <dev-platform@mozilla.org>


After some delays this is now in Nightly and hopefully shipping in Firefox 102.

On Wed, Apr 20, 2022 at 10:54 AM Tom Schuster <tschuster@mozilla.com> wrote:
>
> WebAssembly code generation and execution is now controlled by the Content-Security-Policy header. It can be allowed using the existing unsafe-eval directive or the more precise unsafe-wasm-eval directive. This means existing pages that use WASM and a strict CSP might break.
>
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1740263
> Specification: https://github.com/WebAssembly/content-security-policy, https://w3c.github.io/webappsec-csp/#can-compile-wasm-bytes
> Discussion: https://github.com/WebAssembly/spec/issues/1393, https://github.com/w3c/webappsec-csp/pull/293
> Platform coverage: all
> Preference: security.csp.wasm-unsafe-eval.enabled
>
> Other browsers:
> Blink: Shipped in Stable (https://groups.google.com/a/chromium.org/g/blink-dev/c/5U_SgZ3r8QI/m/2a0578luBgAJ)
> WebKit: https://bugs.webkit.org/show_bug.cgi?id=235408
>
> Web-platform-tests: https://github.com/web-platform-tests/wpt/tree/master/content-security-policy/wasm-unsafe-eval

--
You received this message because you are subscribed to the Google
Groups "dev-platform@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to dev-platform+unsubscribe@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CA%2BCWiYii80OfXeTKXUNydMs64ci7n%2Bnjtmgk%2Br6_gdqS%3D5_Lpg%40mail.gmail.com.

Received on Friday, 20 May 2022 20:51:51 UTC