The proposed change is very small and not 'architectural'. The proposal adds a new policy keyword to CSP and extends the role (slightly) of script-src itself.
On Thu, Sep 2, 2021 at 6:43 AM Yoav Weiss <[email protected]> wrote: > > > On Wed, Sep 1, 2021 at 9:00 PM Francis McCabe <[email protected]> wrote: > >> Contact [email protected] >> [email protected] >> >> Explainer >> https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md >> >> Specificationhttps://github.com/w3c/webappsec-csp/pull/293 >> >> Summary >> >> Enhancements to Content Security Policy to improve interoperability with >> WebAssembly. >> >> >> Blink componentBlink >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> >> >> Motivation >> >> Allows web developers to be more fine grained in their policy wrt >> executing WebAssembly. Currently, if there is a non-empty CSP policy for a >> page, the unsafe-eval policy must be enabled. This allows a developer to >> use wasm-unsafe-eval that only allows webassembly execution and has no >> impact on javaScript execution. In addition, the proposal is to extend >> existing CSP script-src policies to include webassembly. Since WebAssembly >> does not have an element tag, this will be, initially, to apply script-src >> policies to the relevant API calls: WebAssembly.instantiateStreaming etc. >> >> >> Initial public proposalhttps://github.com/w3c/webappsec-csp/pull/293 >> >> Search tagswasm <https://www.chromestatus.com/features#tags:wasm>, >> webassembly <https://www.chromestatus.com/features#tags:webassembly>, csp >> <https://www.chromestatus.com/features#tags:csp> >> >> TAG reviewNot needed >> > > Can you expand on why you think a TAG review is not needed? > > >> >> TAG review status >> >> Risks >> >> >> Interoperability and Compatibility >> >> >> >> Gecko: >> https://github.com/mozilla/standards-positions/issues/574# >> >> WebKit: see >> https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html >> >> Web developers: >> See https://crbug.com/948834 >> >> >> Debuggability >> >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >> ?Yes >> >> Flag name >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=841404 >> >> Estimated milestones >> >> Link to entry on the Chrome Platform Status >> https://www.chromestatus.com/feature/5499765773041664 >> >> This intent message was generated by Chrome Platform Status >> <https://www.chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB-%3DsKJUpiXcZ2jBGZaQ_yAXWOUdO2Jt1mKA3whP7ZqdA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB-%3DsKJUpiXcZ2jBGZaQ_yAXWOUdO2Jt1mKA3whP7ZqdA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB%3DEH%3Dop6WeRX92z5VgLz1DOwnHPvcusV2pXnm6dEkLMg%40mail.gmail.com.
