Decide on including 'wasm-unsafe-eval' in the default CSP of MV3 extensions
Categories
(WebExtensions :: Compatibility, task, P3)
Tracking
(Not tracked)
People
(Reporter: robwu, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [addons-jira] [wecg])
A goal of MV3 is to block remote code execution in privileged (extension) contexts by default; any use of code execution with non-static scripts should be blocked or at least be opt-in, e.g. via manifest.json
Bug 1740263 introduced support for blocking wasm via CSP with 'wasm-unsafe-eval', and included this in the base and default CSP of MV2 by default, for backwards-compatibility (WIP patch in D142953).
In MV3, we have omitted it from the default CSP, which means that extensions cannot use wasm by default. We did add it to the base CSP, which means that extensions can specify a custom content_security_policy in the manifest.json file to opt in to allowing wasm.
Chrome's current dev build (102) introduces support for 'wasm-unsafe-eval' too, but they did not only add it to the base CSP, but also the default CSP.
I will file a bug on Chromium's issue tracker to highlight this issue, and if the argument for including it in the default CSP is compelling, then we should consider including it in the default CSP of MV3 extensions too.
|
Reporter | |
Comment 1•2 years ago
|
||
I have opened an issue on Chromium's issue tracker at https://bugs.chromium.org/p/chromium/issues/detail?id=1318922, with some more details.
|
|
Reporter | |
Updated•2 years ago
|
|
|
Reporter | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 2•2 years ago
•
|
||
Resolution has been reached.
The behavior is as follows, and needs to be documented
- BCD
'wasm-unsafe-eval'entry at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy - note on how/when WebAssembly (wasm) can be used, at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
In Firefox:
- Firefox 101 and earlier: extensions are unconditionally able to use wasm in extensions.
- Firefox 102 (bug 1740263):
- MV2 extensions can continue to use wasm in extensions by default, unless they have specified a custom content_security_policy that disallows
'wasm-unsafe-eval'.- EDIT: given regressions, this has changed to: M2 extensions can unconditionally use wasm (see bug 1770909).
- MV3 extensions cannot use wasm by default, but they can once they add
'wasm-unsafe-eval'tocontent_security_policyin
- MV2 extensions can continue to use wasm in extensions by default, unless they have specified a custom content_security_policy that disallows
In Chrome:
- Chrome 101: extensions not able to use wasm
- Chrome 102: extensions unconditionally able to use wasm (bug) (same behavior as Firefox 101 and earlier)
- Chrome 103: extensions can use wasm only if they add
'wasm-unsafe-eval'tocontent_security_policyin manifest.json (https://crbug.com/1318922).
|
||
Updated•2 years ago
|
|
|
||
Comment 3•2 years ago
|
||
Documentation completed in https://github.com/mdn/content/pull/16943
Description
•