A goal of MV3 is to block remote code execution in privileged (extension) contexts by default; any use of code execution with non-static scripts should be blocked or at least be opt-in, e.g. via manifest.json
Bug 1740263 introduced support for blocking wasm via CSP with
'wasm-unsafe-eval', and included this in the base and default CSP of MV2 by default, for backwards-compatibility (WIP patch in D142953).
In MV3, we have omitted it from the default CSP, which means that extensions cannot use wasm by default. We did add it to the base CSP, which means that extensions can specify a custom
content_security_policy in the manifest.json file to opt in to allowing wasm.
Chrome's current dev build (102) introduces support for
'wasm-unsafe-eval' too, but they did not only add it to the base CSP, but also the default CSP.
I will file a bug on Chromium's issue tracker to highlight this issue, and if the argument for including it in the default CSP is compelling, then we should consider including it in the default CSP of MV3 extensions too.