Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need a specific CSP policy for enabling WebAssembly execution #443

Closed
juj opened this issue Oct 7, 2020 · 2 comments
Closed

Need a specific CSP policy for enabling WebAssembly execution #443

juj opened this issue Oct 7, 2020 · 2 comments

Comments

@juj
Copy link

juj commented Oct 7, 2020
edited
Loading

Currently if a site contains a Content Security Policy directive, e.g.

Content-Security-Policy: script-src 'self';

Then this will disallow the execution of eval(), since the CSP directive unsafe-eval has not been passed. However, in Google Chrome it also has the effect of disabling the ability to run any WebAssembly content on the page, giving an error

CompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedder

One has to specify

Content-Security-Policy: script-src 'self' 'unsafe-eval';

in Chrome to make it work.

However, working with web site hosts, they are generally very hesitant to add support for 'unsafe-eval', because every web developer has by now heard "eval() is bad!". As a result, they are eager to also disallow WebAssembly content to run.

It is unfortunate that WebAssembly.compile() and WebAssembly.instantiate() execution has been likened to eval() in Chrome. While technically true, it is much more difficult to inject WebAssembly.instantiate() based exploits onto a page, compared to plain eval(), because WebAssembly cannot directly access any of the DOM unless one is able to also inject JavaScript code to import some web APIs to it.

I wish to propose that a WebAssembly-specific CSP policy would be added, e.g. 'wasm-eval', that would enable WebAssembly.instantiate() without opening up eval(). That would make web site hosts happy, and allow them to open up the minimal amount of security to let WebAssembly work.

The CSP policy 'unsafe-eval' could certainly still imply 'wasm-eval' capability.

Related, I notice that Firefox does not implement this 'unsafe-eval' CSP behavior. (CC @lukewagner).

Also, I am unsure if WebAssembly.compileStreaming() and WebAssembly.instantiateStreaming() are currently disabled in Chrome if 'unsafe-eval' CSP is not enabled. @dschuff: do you know? My impression is that if 'unsafe-eval' is disallowed on a site, and even if that would/should disable WebAssembly.compile() and WebAssembly.instantiate() capability, it should still by design enable WebAssembly.compileStreaming() and WebAssembly.instantiateStreaming() to work?
@dschuff
Copy link
Member

dschuff commented Oct 7, 2020

There is a proposal to standardize this behavior for wasm (see https://github.com/WebAssembly/content-security-policy) but it's been stalled for a while. @binji might be working on that soon.

@dveditz
Copy link
Member

dveditz commented May 20, 2022

I believe this has been addressed by PR #293, which has shipped in Chrome and recently available in Firefox Nightly

@dveditz dveditz closed this as completed May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@juj @dschuff @dveditz