CSP headers with Egui WASM

[timvw01]

Any thoughts on CSP headers? For a project we want to use Egui for the web with WASM, but are also required to use CSP headers. At the moment, as far as i am aware, only 'script-scr' unsafe-eval is possible.

Is there a possibility to make it work with script-scr: 'self' only?

Is there a good argument to not to be worried with unsafe-eval, considering the full website is only WASM / Egui?

Thanks

[parasyte]

Your policy is forbidding the evaluation of anything as code, including WASM. (self is specifically for JavaScript code served from the allowed domain, this does not include WASM modules.)

There is an ongoing proposal from Chrome to allow WASM through the wasm-unsafe-eval policy. This is more restrictive than unsafe-eval but still opens the opportunity to running untrusted WASM.

At this time, your policy restrictions are forbidding you from using WASM. You need to have the policy decision reevaluated, unfortunately, since you cannot both allow and disallow WASM at the same time.

The current landscape with CSP is also not kind to WASM, since CSP combines JavaScript and WASM under the umbrella script resource and it appears the only way to compile a WASM module is to also allow JavaScript unsafe-eval. Hence the wasm-unsafe-eval proposal.