Wasm module compile error in Chrome Extension

后端 未结 2 1712
无人及你
无人及你 2021-02-19 14:10

In my extension I want to use my own WebAssembly module.

After loading my module (to background.html, or popup.html), I catch the compile erro

相关标签:
2条回答
  • 2021-02-19 14:42

    It seems from this issue that Chrome requires script-src: 'unsafe-eval' CSP directive be active for WebAssembly compilation. See this discussion as to why this is the case, at least for now.

    Chrome Extensions come with default restrictions on CSP; that includes not allowing unsafe-eval. Some of the restrictions cannot be lifted; in this case, you can allow unsafe-eval by adding a manifest key:

    "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
    

    This should be enough to test if Wasm works in extensions. But heed this warning from documentation:

    However, we strongly recommend against doing this. These functions are notorious XSS attack vectors.

    Instead of allowing unsafe-eval for your whole extension, you can sandbox code that requires it, using the following approach from the docs:

    Using eval in Chrome Extensions. Safely.

    The gist of it is to create a separate page in your extension, where unsafe-eval is allowed but Chrome API access is disallowed; you then embed this page in your extension and communicate with it using postMessage().

    0 讨论(0)
  • 2021-02-19 14:47

    Chrome implemented special policy 'wasm-eval' exclusively for apps and extensions to resolve this problem. It is chrome-specific, but slowly moving into CSP and WebAssembly standards. Just replace 'unsafe-eval' with 'wasm-eval' in @Xan's solution.

    Note though, this is still an attack vector and it's your responsibility to verify the source of executed assembly. See for example uBlock's author thoughts on this policy.

    0 讨论(0)
提交回复
热议问题