CSP Support for ESM Integration

Question

CSP Support for ESM Integration

guybedford opened this issue 3 years ago · 2 comments

Somewhat related to #41, it's worth thinking about what CSP policies will apply to the ESM integration when importing Wasm.

Currently the Wasm CSP spec defines wasm-unsafe-eval to be required for all JS API usages.

Would the ESM integration form an exception here when importing Wasm in that it maintains full control of the script src? Or would it simply adopt this same policy?

Answer 1 · 2021-10-15T18:51:36.000Z

I don't have a well formed opinion on this at the moment.

Answer 2 · 2021-10-18T08:32:42.000Z

As script fetching is currently setup it would indeed use script-src. I filed whatwg/html#7233 to see if that's how it should be.