New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: wasm module loading #176
Conversation
Addresses wasm module loading reported in #175 For details see https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md#the-wasm-unsafe-eval-source-directive
Deploying with Cloudflare Pages
|
packages/edge-gateway/src/gateway.js
Outdated
@@ -537,7 +537,7 @@ function getTransformedResponseWithCustomHeaders(response) { | |||
|
|||
clonedResponse.headers.set( | |||
'content-security-policy', | |||
"default-src 'self' 'unsafe-inline' blob: data: ; form-action 'self' ; navigate-to 'self' " | |||
"default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ; form-action 'self' ; navigate-to 'self' " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have considered this in #172 (comment), but left it out. As it turns out leaving it out prevents WASM module loading which is not a desired behavior.
We could enable just wasm via unsafe-wasm-eval directive, however I don't see a good reason to disable js eval so I'm proposing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
It should probably be: |
Thanks @ikreymer ! Yes, it won't inherit from default-src the 'self'. Adding it now |
Addresses wasm module loading reported in #175
For details see https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md#the-wasm-unsafe-eval-source-directive