You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow WebAssembly + workers in the packaged CSP
v0.1.3 bundled MediaPipe locally but still failed to start because
the packaged CSP blocked WASM compilation:
CompileError: WebAssembly.instantiate() ... 'wasm-eval' is not an
allowed source of script in 'script-src 'self' 'sha256-...'
Root cause: I had put 'unsafe-eval' on default-src, but Tauri injects
its own script-src (with hashes for its bootstrap scripts) and that
directive does NOT inherit from default-src — so the keyword never
applied to script execution. Same story for MediaPipe's worker, which
it spawns from a blob: URL.
- Set explicit script-src 'self' 'wasm-unsafe-eval' blob: — Tauri
appends its sha256 hashes to our directive instead of synthesizing
its own, and 'wasm-unsafe-eval' permits WebAssembly compilation
without re-enabling general eval().
- Set explicit worker-src 'self' blob: for MediaPipe's worker.
- Tighten everything else: drop the broad `https:` allowance from
default-src (assets are local now), drop the jsdelivr/googleapis
connect-src entries that were only needed before bundling.
