LGTM1. We've talked about this approach in WebAppSec a few times, and I think there's general agreement on the approach. I'd like to see the spec language land before shipping this, but it looks like there aren't any substantive outstanding questions, and I'm confident you can work out the details.
-mike On Thu, Sep 23, 2021 at 11:36 PM Francis McCabe <f...@chromium.org> wrote: > Contact emailsad...@chromium.org > f...@chromium.org > > Explainer > https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md > > Specificationhttps://github.com/w3c/webappsec-csp/pull/293 > > Design docs > > https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md > > Summary > > Enhancements to Content Security Policy to improve interoperability with > WebAssembly. > The change involves adding a new CSP source keyword: wasm-unsafe-eval that > would allow a web page to compile and execute WebAssembly modules. > > Blink componentBlink > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> > > Search tagswasm <https://www.chromestatus.com/features#tags:wasm>, > webassembly <https://www.chromestatus.com/features#tags:webassembly>, csp > <https://www.chromestatus.com/features#tags:csp> > > TAG reviewNot needed in our view, as this is a very small change to > existing CSP functionality. > > TAG review status > > Risks > > > Interoperability and Compatibility > > > > Gecko: https://github.com/mozilla/standards-positions/issues/580 > > WebKit: > https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html > > Web developers: There has been a considerable amount of discussion of > this within the WebAppSec WG and there is some pressure from developers to > adopt this (see > https://bugs.chromium.org/p/chromium/issues/detail?id=841404 and > https://bugs.chromium.org/p/chromium/issues/detail?id=948834 and > https://bugs.chromium.org/p/chromium/issues/detail?id=915648) > > > Debuggability > > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ?Yes * CL > https://chromium-review.googlesource.com/c/chromium/src/+/3171519 under > review > > Flag nameBlink feature flag WebAssemblyCSP > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=841404 > > Estimated milestones > > M96 > > Link to entry on the Chrome Platform Status > https://www.chromestatus.com/feature/5499765773041664 > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWAc3Y07YDx%2B%3DiKRboZZGFGXzE5FbufUnY__0_w8nsXSRA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWAc3Y07YDx%2B%3DiKRboZZGFGXzE5FbufUnY__0_w8nsXSRA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddo5P0QE4k9uyxCo0HoWUBGYkd6BB4d4uc1GmKhX%3Dh-qA%40mail.gmail.com.
