-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wasm-eval #106
Comments
I was mistaken. Manifest v2 used wasm-eval. That's been removed. Now you can use 'wasm-unsafe-eval' in manifest v3. However, ideally this lib wouldn't require it. |
This shouldn't be closed. It's a security risk in the libs to use those methods then deploy to a website or chrome extension. |
This library is based on wasm, you do understand that? |
Yes. wasm-eval and wasm-unsafe-eval are not required in order to execute wasm. They're only required when the underlying wasm library makes unsafe calls. |
we never intended to support google chrome extensions anyway |
It's still a security risk when used in a browser. Seems really odd a security company is fighting this...? I mean if I'm wrong in some way thats one thing. But from my understanding the "eval" like functions allow arbitrary code to be run. |
It's an open source project, you are welcome to make a PR. |
Based on the WebAssembly Sandbox, as described at https://github.com/WebAssembly/content-security-policy/blob/4c61db828b4a0739e4500e8d42d0ec85ef05505a/proposals/CSP.md#the-wasm-unsafe-eval-source-directive/ it seems the risk is small. I was a little thrown by the use of the words Here's why I believe they're used, and it seems necessary to use them as there aren't alternatives yet. As described at https://developer.mozilla.org/en-US/docs/WebAssembly/Loading_and_running:
The bit in bold indicates the relation between the compile/instantiate calls and new Function(string). The Having this understanding, and being able to explain it is not a waste of time. User's shouldn't be throwing 'unsafe' and 'eval' words into their CSP without understanding what the security impact of doing so is. Whether the ticket stays opened or closed is up to you. There's nothing to do about it for now. |
The wasm libraries used by e3kit-js found in this project require 'wasm-eval' in the content security policy. This is a security risk. To complicate matters, Google is forcing Chrome extensions to use Manifest v3 as of June 1st 2024 (all other chrome extensions will be disabled/removed from the users device). Manifest v3 does not allow content security policies with "wasm-eval".
Why do these libraries require wasm-eval? I can't think of a reason it would be necessary, but I don't know much about these libs.
The text was updated successfully, but these errors were encountered: