Conversation
Provide background on CSP threat model and use cases
Pull in latest changes from WebAssembly/spec repo
Rename 'wasm-eval' to 'wasm-unsafe-eval' Fixes #15.
Remove reference to mimetype hardening
Always allow WebAssembly.validate()
Rework final table for clarity
Summarize API behavior and threats relative to CSP
At yesterday's WG meeting, we decided to make a new release, now switching to the Evergreen model. For administrative and technical reasons having to do with W3C procedure, we decided to bump the release number to 2. From now on, the standard will iterate at version 2 from the W3C's official perspective. We use minor release numbers internally to distinguish different iterations. (@ericprud, I hope I understood correctly that the Bikeshed "level" also needed to be bumped to 2.)
Redundant: already covered in js-api
Merge from upstream wasm 3.0
Not needed in web-api spec.
tlively
left a comment
There was a problem hiding this comment.
Are there expected to be any tests here?
There was a problem hiding this comment.
Are the deletions here expected? It seems it would be better to edit the "Security and Privacy Considerations" section rather than remove it.
| [](https://github.com/WebAssembly/spec/actions/workflows/ci-spec.yml) | ||
| [](https://github.com/WebAssembly/spec/actions/workflows/ci-interpreter.yml) | ||
|
|
||
| # Content Security Policy Proposal for WebAssembly |
There was a problem hiding this comment.
You'll want to undo the changes to the README.
Removed the Content Security Policy proposal section from the README.
eqrion
left a comment
There was a problem hiding this comment.
I'd also be interested to know if there are tests for this already in WPT.
| <h3 id="host-ensure-can-compile-wasm-bytes">HostEnsureCanCompileWasmBytes()</h3> | ||
|
|
||
| <dfn abstract-op>HostEnsureCanCompileWasmBytes()</dfn> is an implementation-defined abstract operation | ||
| that allows host environments to block certain WebAssembly functions which | ||
| compile bytes into WebAssembly code. | ||
|
|
||
| An implementation of HostEnsureCanCompileWasmBytes may complete normally or | ||
| abruptly. Any abrupt completions will be propagated to its callers. The default | ||
| implementation of HostEnsureCanCompileWasmBytes is to unconditionally return an | ||
| empty normal completion. |
There was a problem hiding this comment.
The concrete instantiation of this abstract operation requires a realm to be passed in [1]. I think we need to have that be an operand and explicitly provide it. We can probably just do Let |realm| be the [=current Realm=] in the right places.
Also CSP calls it "EnsureCSPDoesNotBlockWasmByteCompilation" not HostEnsureCanCompileWasmBytes. Not sure if that's an issue.
[1] https://w3c.github.io/webappsec-csp/#can-compile-wasm-bytes
|
|
||
| <div algorithm> | ||
| To <dfn>compile a WebAssembly module</dfn> from source bytes |bytes|, perform the following steps: | ||
| 1. Perform [$HostEnsureCanCompileWasmBytes()$]. |
There was a problem hiding this comment.
This will happen when you call WebAssembly.validate. Is that intentional? It's also called by "asynchronously compile a WebAssembly module" in the "in parallel" section. My understanding is that's not allowed because it implies there could be racy accesses to the realm to perform the CSP check.
I think we should remove this check here and move it to the JS-API entry points that need it. So the WebAssembly.Module constructor, WebAssembly.compile, WebAssembly.instantiate, and WebAssembly.instantiateStreaming.
|
|
||
| <div algorithm> | ||
| To <dfn>compile a WebAssembly module</dfn> from source bytes |bytes|, perform the following steps: | ||
| 1. Perform [$HostEnsureCanCompileWasmBytes()$]. |
There was a problem hiding this comment.
| 1. Perform [$HostEnsureCanCompileWasmBytes()$]. | |
| 1. Perform [=?=] [$HostEnsureCanCompileWasmBytes()$]. |
I believe we can use the ReturnIfAbrupt macro here. We use it elsewhere in the spec.
This (should) reflect changes needed to incorporate phase 4 csp.
This should probably NOT just be merged, as the change seems to include notes that might not normally be part of the spec.