No way to use WebAssembly on Chrome without 'unsafe-eval'

[hackcasual]

To give a bit of background, I am a software engineer at Tableau, on our online data visualization tool. We have been targeting WebAssembly for improving visualization interactivity. As part of our security efforts, we have been working on being able to support a restrictive CSP.

Currently chrome disables compileStreaming/instantiateStreaming with CSP on and not allowing 'unsafe-eval'. Other implementations (FF/Safari/Edge) at least allow the streaming versions of the compile/instantiate commands. The 8/8/2017 meeting notes seems to indicate that Chrome is following the original straw proposal. Chrome has implemented 'wasm-eval', but restricted it to apps/extensions.

Either treating the Response object as an origin according to the given CSP or adopting 'wasm-eval' would allow us to move forward.

[hackcasual]

I've put together a quick example here: https://s3.amazonaws.com/webassembly-chrome-csp/csp_test.html

[mikesamuel]

I think the goal was for user-agents to become consistent in how they interpret unsafe-eval and wasm-eval directives. Issue #1 discussed how not to, and issue #2 touches on how to, but I'm not sure if consensus has been reached.

[eholk]

Right now Chrome restricts 'wasm-eval' to web apps because it's not part of the CSP standard. I'm going to try to put together a PR this week to move along the process of making 'wasm-eval' standard, at which point it should be pretty straightforward for Chrome to expose 'wasm-eval' to the web.

[hackcasual]

Awesome.

[eholk]

Out of curiosity, I just tried running your test case on Safari and got:

[Error] TypeError: WebAssembly.instantiateStreaming is not a function. (In 'WebAssembly.instantiateStreaming(fetch('simple.wasm'), importObject)', 'WebAssembly.instantiateStreaming' is undefined)
	Global Code (csp_test.js:3)

Does that match what you see? Based on the table on the Wasm CSP Proposal, Safari should not allow instantiate or instantiateStreaming without 'unsafe-eval'.

[jfbastien]

Safari currently doesn't implement streaming.

[eholk]

I just submitted the PR for 'wasm-eval': w3c/webappsec-csp#293

[hackcasual]

Has there been any movement on this? Looks like the PR has been open for over 4 months now.

[binji]

The CSP proposal stalled out as @eholk has moved on to another team. However, @titzer is starting to help out now.

[hackcasual]

Awesome, thanks for pushing this forward.

[twilco]

So just for the sake of clarity, the end goal here will be to create a CSP that allows WASM without allowing unsafe-eval of everything? I'm also looking at incorporating WebAssembly into my application and ran into this issue, so was hoping unsafe-eval wasn't the only way out.

Also, unrelated question: why do I not receive this warning on Firefox?

[titzer]

@twilco Yes, the proposed wasm-eval (or maybe unsafe-wasm-eval) would be a separate directive that enables WASM code generation independent of JavaScript's eval.

[titzer]

There's a PR #17 to rename the directive. However, for Chrome apps that use extension URLs, we'll likely keep the old directive for some transition time.