Enhancements to Content Security Policy to improve interoperability with WebAssembly.

Motivation

Allows web developers to be more fine grained in their policy wrt executing WebAssembly. Currently, if there is a non-empty CSP policy for a page, the unsafe-eval policy must be enabled. This allows a developer to use wasm-unsafe-eval that only allows webassembly execution and has no impact on javaScript execution. In addition, the proposal is to extend existing CSP script-src policies to include webassembly. Since e=WebAssembly does not have an element tag, this will be, initially, to apply script-src policies to the relevant API calls: WebAssembly.instantiateStreaming etc.

Documentation

Specification

Specification link


Specification currently under development in a Working Group

Status in Chromium

Blink


Proposed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals

Owner

Search tags

wasm, webassembly, csp,

Last updated on 2021-08-30