Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

unsafe-eval chromium workaround #6

Open
anderejd opened this issue Apr 12, 2019 · 3 comments
Open

unsafe-eval chromium workaround #6

anderejd opened this issue Apr 12, 2019 · 3 comments
Labels
help wanted Extra attention is needed question Further information is requested

Comments

@anderejd
Copy link
Owner

anderejd commented Apr 12, 2019
edited
Loading

It would be nice to get rid of this warning:

VM92 security-warnings.js:170 Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security
    Policy set or a policy with "unsafe-eval" enabled. This exposes users of
    this app to unnecessary security risks.
 
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
 This warning will not show up
once the app is packaged.

The cause of this is documented in index.html:

<!DOCTYPE html>
<html>
  <head>
    <base href="app://./" />
    
    <!--
      'unsafe-eval' is required because of a Chrome bug(?) that disallows
      loading WASM from 'self'.
      
      https://github.com/anderejd/electron-wasm-rust-example/issues/6
      https://github.com/WebAssembly/content-security-policy/issues/7
      https://bugs.chromium.org/p/chromium/issues/detail?id=948834&can=1&q=wasm-eval
    -->
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' app: 'unsafe-eval'; object-src 'self' app:;">

    <meta content="text/html;charset=utf-8" http-equiv="Content-Type"/>
    <link rel="stylesheet" type="text/css" href="style.css">
  </head>
  <body>
  <script type="module" src="./main_module.js"></script>
  </body>
</html>

Hopefully a future chromium update will allow loading WebAssembly without 'unsafe-eval'.
@anderejd anderejd added help wanted Extra attention is needed question Further information is requested labels Apr 12, 2019
@anderejd
Copy link
Owner Author

I have spent an hour or two looking into this and it seems like loading wasm from the same origin, like any other resource really should be allowed but are not in chromium, for unclear reasons.

Why would the Same-origin policy not apply to WebAssembly? And why only in chromium?

https://bugs.chromium.org/p/chromium/issues/detail?id=948834#c6 See, comment #6. It seems to indicate that chromium developers are looking into this:

Comment 6 by on
Owner: titzer@chromium.org
Status: Assigned (was: Unconfirmed)

However, this https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md seems to indicate that chromium might consider the need for 'unsafe-eval' as a feature.

@anderejd
Copy link
Owner Author

This comment resonates with my current impression of this issue:

What is the reason Chromium can't allow loading of wasm modules from same-origin Response objects?

WebAssembly/content-security-policy#7 (comment)

anderejd added a commit that referenced this issue Apr 12, 2019
@anderejd
Added a link in index.html to issue #6.
9128827
@anderejd anderejd changed the title unsafe-eval workaround unsafe-eval chromium workaround Apr 12, 2019
@anderejd
Copy link
Owner Author

TODO: Experiment with some more combinations of settings for CSP in hope of finding a clean workaround, without warnings and security holes, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

@wojdziw wojdziw mentioned this issue Mar 22, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anderejd