Fix Graphviz WASM module not loading for graph viewer #2085
Conversation
It seems that when we added the CSP policy to the webview, we did not take into account that `d3-graphviz` uses `@hpcc-js/wasm` to load Graphviz as a WASM module. This commit adds `'wasm-unsafe-eval'` to the CSP policy to allow this.
|
Two questions:
|
I tried using
Unfortunately, the spec doesn't list this as a possibility:
There's nothing about checking the nonce, so I don't think it's possible to require a specific nonce. |
|
I've read through the links you've added (thanks for documenting it 👍 ). It's not clear to me what level of risk this change has. Would we be able to make a single exception for |
I don't think we're able to do that, there doesn't seem to be a possibility to specify a nonce in the recommendation (see also |
Hmm, if we trusted that all our JS packages are safe, I think our particular department would be a bit obsolete. Would you be open to considering other JS packs that don't require a CSP change? |
|
Agree with Elena's suggestions. Or could we use a different CSP just for the graph viewer, e.g. by having a boolean |
The graph viewer is an unsupported part of the extension that seems to have been created as part of a hackathon (see #1111). I don't think we should invest any more time than necessary into the graph viewer. I'm not sure there are many other packages that allow us to do the same thing without rewriting large parts of the graph viewer itself.
I have now implemented this. Unfortunately the graph viewer is part of the results view, so we need to set this parameter on the complete results view and can't just limit it to the results view. I think removing the graph viewer entirely would be another possibility. We explicitly state that it's unsupported and might not even reimplement it when we unify the MRVA and local results view unless we explicitly plan time for it. I don't think we have any data on how much it's being used, but we can probably ask the language teams. |
This is correct and I agree. This feature is not officially supported and if it is too much of a support burden, we can turn it off. There are internal users who rely on this feature. And it would be worth understanding how often and in what capacity they use it. |
| @@ -163,7 +166,7 @@ export function getHtmlForWebview( | |||
| /* | |||
| * Content security policy: | |||
| * default-src: allow nothing by default. | |||
| * script-src: allow only the given script, using the nonce. | |||
| * script-src: allow the given script, using the nonce. also allow loading WebAssembly modules. | |||
There was a problem hiding this comment.
| * script-src: allow the given script, using the nonce. also allow loading WebAssembly modules. | |
| * script-src: allow the given script, using the nonce. | |
| * wasm-unsafe-eval: possibly allow loading WebAssembly modules |
There was a problem hiding this comment.
The 'wasm-unsafe-eval' string is actually part of script-src, so I've split it broken up the script-src into two parts: one for the script and one for wasm eval.
It seems that when we added the CSP policy to the webview, we did not take into account that
d3-graphvizuses@hpcc-js/wasmto load Graphviz as a WASM module. This commit adds'wasm-unsafe-eval'to the CSP policy to allow this.This also fixes a warning emitted by the module because we're not telling it we're not using WebWorkers.
Closes #2077
Checklist
ready-for-doc-reviewlabel there.