Re: [blink-dev] Intent to Ship: WebAssembly Content Security Policy

[Daniel Bratell]

Hi Francis,

I read in the explainer that you had explored reusing currently exiting 
script-src policies but thought that would break existing content. Could 
you expand a bit on how you reached that conclusion?

/Daniel

On 2021-09-30 21:14, Mike West wrote:
LGTM1.

We've talked about this approach in WebAppSec a few times, and I think 
there's general agreement on the approach. I'd like to see the spec 
language land before shipping this, but it looks like there aren't any 
substantive outstanding questions, and I'm confident you can work out 
the details.

-mike


On Thu, Sep 23, 2021 at 11:36 PM Francis McCabe <f...@chromium.org 
<mailto:f...@chromium.org>> wrote:


            Contact emails

    ad...@chromium.org <mailto:ad...@chromium.org>
    f...@chromium.org <mailto:f...@chromium.org>


            Explainer

    
https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md
    
<https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md>


            Specification

    https://github.com/w3c/webappsec-csp/pull/293
    <https://github.com/w3c/webappsec-csp/pull/293>


            Design docs


    
https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md
    
<https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md>


            Summary

    Enhancements to Content Security Policy to improve
    interoperability with WebAssembly.

    The change involves adding a new CSP source keyword:
    wasm-unsafe-eval that would allow a web page to compile and
    execute WebAssembly modules.


            Blink component

    Blink
    <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink>


            Search tags

    wasm <https://www.chromestatus.com/features#tags:wasm>,
    webassembly
    <https://www.chromestatus.com/features#tags:webassembly>, csp
    <https://www.chromestatus.com/features#tags:csp>


            TAG review

    Not needed in our view, as this is a very small change to existing
    CSP functionality.


            TAG review status



            Risks



            Interoperability and Compatibility



    Gecko: https://github.com/mozilla/standards-positions/issues/580
    <https://github.com/mozilla/standards-positions/issues/580>

    WebKit:
    https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html
    <https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html>

    Web developers: There has been a considerable amount of discussion
    of this within the WebAppSec WG and there is some pressure from
    developers to adopt this (see
    https://bugs.chromium.org/p/chromium/issues/detail?id=841404
    <https://bugs.chromium.org/p/chromium/issues/detail?id=841404> and
    https://bugs.chromium.org/p/chromium/issues/detail?id=948834
    <https://bugs.chromium.org/p/chromium/issues/detail?id=948834> and
    https://bugs.chromium.org/p/chromium/issues/detail?id=915648
    <https://bugs.chromium.org/p/chromium/issues/detail?id=915648>)


            Debuggability



            Is this feature fully tested by web-platform-tests
            
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?

    Yes * CL
    https://chromium-review.googlesource.com/c/chromium/src/+/3171519
    <https://chromium-review.googlesource.com/c/chromium/src/+/3171519> under
    review


            Flag name

    Blink feature flag WebAssemblyCSP


            Requires code in //chrome?

    False


            Tracking bug

    https://bugs.chromium.org/p/chromium/issues/detail?id=841404
    <https://bugs.chromium.org/p/chromium/issues/detail?id=841404>


            Estimated milestones

    M96


            Link to entry on the Chrome Platform Status

    https://www.chromestatus.com/feature/5499765773041664
    <https://www.chromestatus.com/feature/5499765773041664>
    -- 
    You received this message because you are subscribed to the Google
    Groups "blink-dev" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to blink-dev+unsubscr...@chromium.org
    <mailto:blink-dev+unsubscr...@chromium.org>.
    To view this discussion on the web visit
    
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWAc3Y07YDx%2B%3DiKRboZZGFGXzE5FbufUnY__0_w8nsXSRA%40mail.gmail.com
    
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWAc3Y07YDx%2B%3DiKRboZZGFGXzE5FbufUnY__0_w8nsXSRA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google 
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to blink-dev+unsubscr...@chromium.org 
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddo5P0QE4k9uyxCo0HoWUBGYkd6BB4d4uc1GmKhX%3Dh-qA%40mail.gmail.com 
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddo5P0QE4k9uyxCo0HoWUBGYkd6BB4d4uc1GmKhX%3Dh-qA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0287b4b2-4474-4325-e067-5dc8c956c2d3%40gmail.com.