-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fine-grained Wasm execution policies #37
Comments
This is aligned with my thinking also. |
@fgmccabe do you have any news about it? Looks like without it wasm can't run inside extensions with manifest v3 |
Can you explain a little more?
Francis
…On Mon, Dec 6, 2021 at 3:30 AM Dmitriy ***@***.***> wrote:
@fgmccabe <https://github.com/fgmccabe> do you have any news about it?
Looks like without it wasm can't run inside extensions with manifest v3
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#37 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQAXUGNVBDKNGF47SI3HK3UPSNETANCNFSM5GCOD3YA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
Francis McCabe
SWE
|
@fgmccabe If an extension specifies For example, using:
Chrome shows: I assume that this happens because manifest v3 tries to restrict remote-code execution, and that's why it works that way. However... @didyk Have you tried specifying your policy without
I did some tests and noticed that I can simply not specify the CSP and Chrome will accept an extension with WASM code. However, I'm not sure how this factors in the publishing process. |
I can try looking into this. It 'smells' of an integration issue. |
@fgmccabe You can see more details here: |
@fgmccabe this is blocking Element from adopting a strong Content-Security-Policy |
You can remove the |
Also just wanted to express interest in this on behalf of Tableau/Salesforce. We use WebAssembly and have been following the |
@jacquelynoelle I don't think you can guarantee that the client will not remove |
For clarity I'll post an example here of removing all CSP headers using an extension, to demonstrate what I mentioned in earlier posts. The purpose of doing that is for the capability to Thus, while you can specify https://github.com/guest271314/remove-csp-header manifest.json
rules_1.json
Then at the local server I can do something like the following, note the
Tested on GitHub, Twitter (which uses So, I would not rely on |
Browser members of the WebExtensions Community Group are considering how to enable extensions to use Wasm that is bundled with an extension while preventing execution of arbitrary Wasm code. To that end, I originally came to this issue to ask whether it was possible for UAs to distinguish how Wasm resources are loaded, but ended up digging into the Wasm & CSP specs. Current state of Wasm & CSPThe working draft of CSP Level 3 has an Integration with WebAssembly section. This section indicates that the Wasm spec includes a This repo also integrates
The current set of specs appear to cover everything necessary for CSP to control Wasm compilation and using the Origin-based Wasm restrictionsIn order for browsers to limit an extension's ability to run Wasm to files loaded from the extension's bundle, the WebExtension platform will need to be able to declare a base CSP policy that contains a Wasm equivalent of |
There has been a separate, yet related, effort to incorporate wasm-unsafe-eval into Chrome's V3 Extension manifest. The default CSP there is script-src: 'self', as you suggest. It is permitted to use script-src: ... 'wasm-unsafe-eval'. |
For extensions, it would also be very desirable to have strict MIME type (and/or file extension) requirements, so that extensions cannot hide wasm code in a png file for example.
|
It makes the most sense of anything I've seen considered on the topic thus far. |
@fgmccabe is there a reason not to support origins and SRI hashes like script-src does? I was encouraged a few years ago at this part of the proposal specifying how the trusted origin of I'd love to see these ideas carried forward to a |
Currently with
wasm-unsafe-eval
there is no distinction between Wasm being executed from a trusted source versus Wasm being executed from an untrusted source.One of the primary features of CSP is being able to define trusted executions either associated with non-CDN domains that have restricted code available or via a nonce which carries the execution stamp of approval as it were.
Perhaps a
wasm-src
CSP option or similar could be used to distinguish Wasm execution sources on the web? Would something like that be a possibility? Even just avoiding the "unsafe" prefix helps in ensuring the right security messaging here.I'm specifically thinking about this in regards to the ESM integration, per WebAssembly/esm-integration#56.
The text was updated successfully, but these errors were encountered: