← Back to release summary

WebAssembly Content Security Policy

Category

WebAssembly

Type

New or changed feature

Status

Enabled by default (Chrome 97)

Intent stage

Evaluate readiness to ship

Summary

Enhancements to Content Security Policy to improve interoperability with WebAssembly.

Motivation

Allows web developers to be more fine grained in their policy wrt executing WebAssembly. Currently, if there is a non-empty CSP policy for a page, the unsafe-eval policy must be enabled. This allows a developer to use wasm-unsafe-eval that only allows webassembly execution and has no impact on javaScript execution.

Standards & signals

• Specification: https://github.com/w3c/webappsec-csp/pull/293
• Firefox: No signal
• Safari: No signal
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=841404

Docs: https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md

Explainers: https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md

View on chromestatus.com