Possible to allow running inlined wasm just like JS despite CSP #1866
Comments
|
This is indeed caused by the site's CSP. Violentmonkey currently doesn't change it. We may enable it in the future although I don't think we will support WASM as it seems outside our scope. Try using an additional extension to patch the CSP header. |
|
Thanks for a prompt reponse! I have tried to use an additional extension, the one you mentioned in one of the threads, but it wasn't up to the task as it replaced the whole thing, breaking native site's scripts :( For now I've resolved to running via a convoluted process of converting wasm back to js, then it runs fine again Would be nice if whenever you decide to patch CSP headers wasm could be added to scope since it's much nicer (at least in theory, in practice you get a lot of pain with issues like this one) to write user scripts in better languages than JS |
Update: it seems to be possible to resolve this by appending
wasm-unsafe-evalto existing website's CSP, is this something Violentmonkey could do?I'm successfully able to use your great extension to run a simple script that has inlined wasm module in it (with a rollup bundler that inlines the wasm and add the necessary JS glue code to run it), e.g., this gist has a module that only prints a line to console on 2 sites
But only on some websites. For example, the script above runs on example.com, but on github I get an error
I don't understand why can run JS (so the extension is able to bypass whatever site
script-srcrestrictions there are), but not WASMAnd maybe this is some deep browser limitation since wasm is still a 2nd-class citizen, so it's not a VM's bug per se (so filing this as a general issue)
But maybe you know how to make wasm work in a way just like JS
Thank you!
I've found a bunch of issues #1436 related to loading wasm modules via URLs, but this isn't it, everything is inlined
Then I've also discovered some CSP-related issue #1001, but that's only Firefox.
From that converstation I've learned that TamperMonkey removes CSP, but then tried using the same script with it, and it failed with the same error :(
(also am using Chromium browser, not Firefox)
I've also tried setting
wasm-unsafe-evaldirective to the CSP via the CSP editing extension https://chrome.google.com/webstore/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj/related?hl=en-US, and this seems to be the way, but even that extension failed to work properly - for some reason there is no "append" functionality for CSPs, so I can either override it to allow running inlined wasm (this works) or manually append, neither of which is a feasible optionThe text was updated successfully, but these errors were encountered: