Closed Bug 1766027 Opened 2 months ago Closed 2 months ago

Decide on including 'wasm-unsafe-eval' in the default CSP of MV3 extensions

Categories

(WebExtensions :: Compatibility, task, P3)

task

Tracking

(Not tracked)

RESOLVED FIXED
102 Branch

People

(Reporter: robwu, Unassigned)

References

Details

(Keywords: dev-doc-complete, Whiteboard: [addons-jira] [wecg])

A goal of MV3 is to block remote code execution in privileged (extension) contexts by default; any use of code execution with non-static scripts should be blocked or at least be opt-in, e.g. via manifest.json

Bug 1740263 introduced support for blocking wasm via CSP with 'wasm-unsafe-eval', and included this in the base and default CSP of MV2 by default, for backwards-compatibility (WIP patch in D142953).
In MV3, we have omitted it from the default CSP, which means that extensions cannot use wasm by default. We did add it to the base CSP, which means that extensions can specify a custom content_security_policy in the manifest.json file to opt in to allowing wasm.

Chrome's current dev build (102) introduces support for 'wasm-unsafe-eval' too, but they did not only add it to the base CSP, but also the default CSP.

I will file a bug on Chromium's issue tracker to highlight this issue, and if the argument for including it in the default CSP is compelling, then we should consider including it in the default CSP of MV3 extensions too.

I have opened an issue on Chromium's issue tracker at https://bugs.chromium.org/p/chromium/issues/detail?id=1318922, with some more details.

Whiteboard: [addons-jira][wecg]
Severity: -- → N/A
Priority: -- → P3
Component: General → Compatibility
Whiteboard: [addons-jira][wecg] → [addons-jira] [wecg]

Resolution has been reached.

The behavior is as follows, and needs to be documented

In Firefox:

  • Firefox 101 and earlier: extensions are unconditionally able to use wasm in extensions.
  • Firefox 102 (bug 1740263):
    • MV2 extensions can continue to use wasm in extensions by default, unless they have specified a custom content_security_policy that disallows 'wasm-unsafe-eval'.
      • EDIT: given regressions, this has changed to: M2 extensions can unconditionally use wasm (see bug 1770909).
    • MV3 extensions cannot use wasm by default, but they can once they add 'wasm-unsafe-eval' to content_security_policy in

In Chrome:

  • Chrome 101: extensions not able to use wasm
  • Chrome 102: extensions unconditionally able to use wasm (bug) (same behavior as Firefox 101 and earlier)
  • Chrome 103: extensions can use wasm only if they add 'wasm-unsafe-eval' to content_security_policy in manifest.json (https://crbug.com/1318922).
Status: NEW → RESOLVED
Closed: 2 months ago
Keywords: dev-doc-needed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
See Also: → 1770468
See Also: → 1770909

Documentation completed in https://github.com/mdn/content/pull/16943

You need to log in before you can comment on or make changes to this bug.