Confirming: there is no current plan to modify how extensions would work. I was alluding to semi-solid thoughts on how a possible wasm-src policy would work. But, in any case, wasm-unsafe-eval would continue even without any new wasm-src.
Also, currently, extensions (and only extensions and chrome apps), can use the 'wasm-eval' policy source keyword. There was a lot of discussion about using wasm-eval for normal web pages but the community eventually decided against doing that. wasm-eval will continue to work for extensions. But, IMO, that sets up a problem for the future. Chrome extensions will be able to use wasm-eval; but noone else will (they will have to use wasm-unsafe-eval, or, in the future, a wasm-src policy). I can see there being some pressure to normalize this down the road. On Wednesday, October 6, 2021 at 11:05:26 AM UTC-7 oli...@oliverdunk.com wrote: > Hey! Just to confirm, it seems like this change wouldn't impact extensions > at all? My understanding is that the current implementation supports > extensions by adding the chrome-extension:// URL scheme to an allow-list. > With that in mind, I imagine the implementation here would be removing that > allow-list but keeping the behaviour for extensions otherwise the same? > > On Thursday, September 23, 2021 at 10:36:20 PM UTC+1 Francis McCabe wrote: > >> Contact emailsad...@chromium.org >> f...@chromium.org >> >> Explainer >> https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md >> >> Specificationhttps://github.com/w3c/webappsec-csp/pull/293 >> >> Design docs >> >> https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md >> >> Summary >> >> Enhancements to Content Security Policy to improve interoperability with >> WebAssembly. >> The change involves adding a new CSP source keyword: wasm-unsafe-eval >> that would allow a web page to compile and execute WebAssembly modules. >> >> Blink componentBlink >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> >> >> Search tagswasm <https://www.chromestatus.com/features#tags:wasm>, >> webassembly <https://www.chromestatus.com/features#tags:webassembly>, csp >> <https://www.chromestatus.com/features#tags:csp> >> >> TAG reviewNot needed in our view, as this is a very small change to >> existing CSP functionality. >> >> TAG review status >> >> Risks >> >> >> Interoperability and Compatibility >> >> >> >> Gecko: https://github.com/mozilla/standards-positions/issues/580 >> >> WebKit: >> https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html >> >> Web developers: There has been a considerable amount of discussion of >> this within the WebAppSec WG and there is some pressure from developers to >> adopt this (see >> https://bugs.chromium.org/p/chromium/issues/detail?id=841404 and >> https://bugs.chromium.org/p/chromium/issues/detail?id=948834 and >> https://bugs.chromium.org/p/chromium/issues/detail?id=915648) >> >> >> Debuggability >> >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >> ?Yes * CL >> https://chromium-review.googlesource.com/c/chromium/src/+/3171519 under >> review >> >> Flag nameBlink feature flag WebAssemblyCSP >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=841404 >> >> Estimated milestones >> >> M96 >> >> Link to entry on the Chrome Platform Status >> https://www.chromestatus.com/feature/5499765773041664 >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/339519e8-ab1c-4a84-b332-dc49bdcd6b72n%40chromium.org.
