torch2424/wasmboy

`blob:` worker fails CSP

Opened this issue · 2 comments

alexgleason commented 
wasmboy.wasm.esm.js:134 Refused to create a worker from 'blob:https://gleasonator.com/7fd7fb97-2f5a-42df-b539-ba71f49485b4' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

kU @ wasmboy.wasm.esm.js:134
wasmboy.wasm.esm.js:134 Uncaught (in promise) DOMException: Failed to construct 'Worker': Access to the script at 'blob:https://gleasonator.com/7fd7fb97-2f5a-42df-b539-ba71f49485b4' is denied by the document's Content Security Policy.
    at new kU (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:58240)
    at vF (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:59067)
    at https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:356221
    at jF._instantiateWorkers (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:356274)
    at jF.uF (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:326936)
    at https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:328430
    at async J (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:366438)

Seems like the worker is being loaded as a blob URI. To get around it, I need to add worker-src blob: to my CSP, which I'm not sure I want to do. I wonder if we can load it from a regular URL.

alexgleason commented

I ended up adding blob: to script-src in my CSP, now hitting this:

Refused to connect to 'data:application/wasm;base64,AGFzbQEAAAABfRBgAAF/YAF/AX9gAX8AYAAAYAJ/fwF/YAJ/fwBgA39/fwBgBn9/f39/fwBgBH9/f38AYAd/f39/f39/AGAIf39/f39/f38AYAp/f39/f39/f39/AGADf39/AX9gBH9/f38Bf2AFf39/f38Bf2ANf39/f39/f39/f39/fwF/Ag0BA2VudgVhYm9ydAAIA5YBlAEFBQYABAYMBAECAQMCAgMDAwsAAwMDAwMDAwMAAAAADgQPCQcHBQICAwEBAQEBDQICAwEAAQEFAwICAgIEAgICAgQFBgQDAgICAAUGAQEBAQEBAQECAgECAgEBAgEBAQEBAQEBAgAAAAEAAQAAAAIKAgMCAwIDAAAAAAAAAAAAAAAAAAAAAAIDAwAAAAADAwMCAQQCBQMBAAEG3guYAn8BQQALfwFBAAt/AEEAC38AQYAIC38AQYAIC38AQYAIC38AQYAQC38AQYCAAQt/AE...ESEAAACyAAIAAoAgBBAXI2AgAjACAAEAIFIAFBAE0EQEEAQYAJQYgBQRAQAAALIAAgAUEBayACQYCAgIB/cXI2AgQLCxwAAkACQAJAI5cCDgIBAgALAAtBACEACyAAEGkLHQACQAJAAkAjlwIOAwEBAgALAAtBfyEBCyABEGkLBwAgACSXAgsLvwEEAEGACAstHgAAAAEAAAABAAAAHgAAAH4AbABpAGIALwByAHQALwB0AGwAcwBmAC4AdABzAEGwCAs3KAAAAAEAAAABAAAAKAAAAGEAbABsAG8AYwBhAHQAaQBvAG4AIAB0AG8AbwAgAGwAYQByAGcAZQBB8AgLLR4AAAABAAAAAQAAAB4AAAB+AGwAaQBiAC8AcgB0AC8AcAB1AHIAZQAuAHQAcwBBoAkLFQMAAAAgAAAAAAAAACAAAAAAAAAAIAAzEHNvdXJjZU1hcHBpbmdVUkwhY29yZS9kaXN0L2NvcmUudW50b3VjaGVkLndhc20ubWFw' because it violates the following Content Security Policy directive: "connect-src 'self' blob: https://gleasonator.com wss://gleasonator.com *.tile.openstreetmap.org https://media.gleasonator.com https://proxy.gleasonator.com https://o4505999744499712.ingest.sentry.io".

I @ 2403046c-dc53-4b5b-b00e-2523a87a3616:22

This library should be refactored to not rely on data URIs like this.

alexgleason commented

I ended up creating a fork to change the rollup build so wasmboy will fit within my strict CSP: https://gitlab.com/soapbox-pub/wasmboy

And now it's possible to play Game Boy games on Mastodon: https://gleasonator.com/@alex/posts/Ac5HNKguMNj8AkmF0a