Bug 1740263 Comment 2 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Frederik Braun [:freddy] (OOO until April 28th)

on 2022-01-17 01:39:48 PST

Lars: Can you help me understand how this would be best wired into existing functions?

I see that existing CSP `eval()` checks are in `GlobalObject::isRuntimeCodeGenEnabled`, which looks suitable for this case, as wasm is going to be generally disallowed by default CSP's from now on. E.g.:
- CSP says nothing (eval and wasm disallowed)
- CSP allows eval (eval and wasm allowed)
- CSP allows wasm (eval still disallowed, but wasm allowed)

"wasm allowed/disallowed" includes the following execution sinks:
  *    {{new WebAssembly.Module()}}
This conversation was marked as resolved by antosart
     *    {{WebAssembly.compile()}}
     *    {{WebAssembly.compileStreaming()}}
     *    {{WebAssembly.instantiate()}}
     *    {{WebAssembly.instantiateStreaming()}}

I think I'll be able to figure the ends in our CSP code in parallel.

Revision 1 by

Frederik Braun [:freddy] (OOO until April 28th)

on 2022-01-18 05:20:33 PST

Lars: Can you help me understand how this would be best wired into existing functions?

I see that existing CSP `eval()` checks are in `GlobalObject::isRuntimeCodeGenEnabled`, which looks suitable for this case, as wasm is going to be generally disallowed by default CSP's from now on. E.g.:
- CSP says nothing (eval and wasm disallowed)
- CSP allows eval (eval and wasm allowed)
- CSP allows wasm (eval still disallowed, but wasm allowed)

"wasm allowed/disallowed" includes the following execution sinks:
     *    {{new WebAssembly.Module()}}
     *    {{WebAssembly.compile()}}
     *    {{WebAssembly.compileStreaming()}}
     *    {{WebAssembly.instantiate()}}
     *    {{WebAssembly.instantiateStreaming()}}

I think I'll be able to figure the ends in our CSP code in parallel.

Back to Bug 1740263 Comment 2