https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md has an overview.

See https://github.com/w3c/webappsec-csp/pull/293 for the specification change. The Wasm specification hasn't been updated as far as I can tell, I filed https://github.com/WebAssembly/spec/issues/1393 on that.

This is on our radar and we'll tackle that early next year!

Lars: Can you help me understand how this would be best wired into existing functions?

I see that existing CSP eval() checks are in GlobalObject::isRuntimeCodeGenEnabled, which looks suitable for this case, as wasm is going to be generally disallowed by default CSP's from now on. E.g.:

• CSP says nothing (eval and wasm disallowed)
• CSP allows eval (eval and wasm allowed)
• CSP allows wasm (eval still disallowed, but wasm allowed)

"wasm allowed/disallowed" includes the following execution sinks:
* {{new WebAssembly.Module()}}
* {{WebAssembly.compile()}}
* {{WebAssembly.compileStreaming()}}
* {{WebAssembly.instantiate()}}
* {{WebAssembly.instantiateStreaming()}}

I think I'll be able to figure the ends in our CSP code in parallel.

I expect that a function that looks very much like isRuntimeCodeGenEnabled (call it isWasmRuntimeCodeGenEnabled?) would do just fine. We would hook that into the compiler pipeline at a suitable choke point, I'll look for one. There are a couple of tricky places where we deserialize already-compiled code from the cache, and we want to be sure to cover these too. And we don't always have a JSContext available, and may need to work around that. But that can be my problem.

It sounds like we'll be able to meet in the middle eventually. Currently, I am not entirely sure where that middle is as I found a bit of a gap, having looked deeper into isRuntimeCodeGenEnabled: I am not really sure how its implementation works at all. Currently, there's some funky callback handling with the ScriptSecurityManager that I don't think I will be able to replicate or retrofit for the WASM usecase.

OK. I've reached out to the JS module owner (Jan) to ask about who might know the most about our CSP implementation.

Meanwhile, it looks like hooking whatever facility we end up with into wasm::HasSupport(JSContext*) or wasm::HasPlatformSupport(JSContext*) is fairly reasonable, depending on some fine detail around how we want to handle asm.js (which uses wasm for its back-end).

Jan says to maybe ask him or Olli about details, both cc'd.

I am probably going to work on this in future. Right now the spec isn't ready yet. So we probably need to look into what Chrome is doing. I am mostly curious when the CSP check happens, i.e. in the case of WebAssembly.compileStreaming at the beginning of the function or when the Response argument resolves.

The relevant Chrome/V8 code can be found here: https://source.chromium.org/search?q=IsWasmCodegenAllowed

Depends on D136219

Depends on D141977

Depends on D141978

Depends on D141979

Backed out for causing bp-hybrid bustages on nsScriptSecurityManager.

Push with failures

Failure log
Also we have some xpcshell failures on test_ext_wasm.js . Failure log

Backout link

[task 2022-05-19T00:09:52.654Z] 00:09:52     INFO -  gmake[4]: Entering directory '/builds/worker/workspace/obj-build/caps'
[task 2022-05-19T00:09:52.657Z] 00:09:52     INFO -  /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/MacOSX10.12.sdk -mmacosx-version-min=10.12 -stdlib=libc++ -std=gnu++17 --target=x86_64-apple-darwin -o nsScriptSecurityManager.o -c  -fvisibility=hidden -fvisibility-inlines-hidden -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -DNDEBUG=1 -DTRIMMED=1 -DOS_POSIX=1 -DOS_MACOSX=1 -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/caps -I/builds/worker/workspace/obj-build/caps -I/builds/worker/checkouts/gecko/docshell/base -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/checkouts/gecko/js/xpconnect/src -I/builds/worker/checkouts/gecko/netwerk/base -I/builds/worker/checkouts/gecko/netwerk/cookie -I/builds/worker/checkouts/gecko/toolkit/components/jsoncpp/include -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -DMOZILLA_CLIENT -include /builds/worker/workspace/obj-build/mozilla-config.h -Qunused-arguments -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wdeprecated-this-capture -Wempty-body -Wformat-type-confusion -Wignored-qualifiers -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wno-error=tautological-type-limit-compare -Wunreachable-code -Wunreachable-code-return -Wunused-but-set-parameter -Wno-invalid-offsetof -Wclass-varargs -Wempty-init-stmt -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wno-range-loop-analysis -Wc++2a-compat -Wcomma -Wenum-compare-conditional -Wimplicit-fallthrough -Wduplicate-method-arg -Wduplicate-method-match -Wmissing-method-return-type -Wobjc-signed-char-bool -Wsemicolon-before-method-body -Wsuper-class-method-mismatch -Werror=non-literal-null-conversion -Wstring-conversion -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=free-nonheap-object -Wno-error=return-std-move -Wno-error=atomic-alignment -Wno-error=deprecated-copy -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-psabi -Wthread-safety -Wno-unknown-warning-option -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -fno-exceptions -fPIC -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -gdwarf-4 -Xclang -load -Xclang /builds/worker/workspace/obj-build/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -O3 -fno-omit-frame-pointer -funwind-tables -Werror -fno-strict-aliasing -ffp-contract=off  -MD -MP -MF .deps/nsScriptSecurityManager.o.pp   /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp
[task 2022-05-19T00:09:52.658Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:7:
[task 2022-05-19T00:09:52.658Z] 00:09:52    ERROR -  /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.h:93:56: error: no type named 'RuntimeCode' in namespace 'JS'
[task 2022-05-19T00:09:52.658Z] 00:09:52     INFO -                                                     JS::RuntimeCode kind,
[task 2022-05-19T00:09:52.658Z] 00:09:52     INFO -                                                     ~~~~^
[task 2022-05-19T00:09:52.659Z] 00:09:52    ERROR -  /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:450:31: error: out-of-line definition of 'ContentSecurityPolicyPermitsJSAction' does not match any declaration in 'nsScriptSecurityManager'
[task 2022-05-19T00:09:52.659Z] 00:09:52     INFO -  bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
[task 2022-05-19T00:09:52.659Z] 00:09:52     INFO -                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.660Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.660Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.660Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:12:
[task 2022-05-19T00:09:52.663Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WebExtensionPolicyBinding.h:13:
[task 2022-05-19T00:09:52.664Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:24:
[task 2022-05-19T00:09:52.665Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/dom/ToJSValue.h:414:3: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.665Z] 00:09:52     INFO -    JS::RootedObject recordObj(aCx, JS_NewPlainObject(aCx));
[task 2022-05-19T00:09:52.666Z] 00:09:52     INFO -    ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.667Z] 00:09:52     INFO -    JS::Rooted<JSObject*>
[task 2022-05-19T00:09:52.667Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.668Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.668Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:14:
[task 2022-05-19T00:09:52.669Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchPattern.h:13:
[task 2022-05-19T00:09:52.669Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchGlob.h:44:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.670Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:14:
[task 2022-05-19T00:09:52.671Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchPattern.h:225:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.671Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/MatchPattern.h:304:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:24:
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -  In file included from /builds/worker/workspace/obj-build/dist/include/mozilla/ContentPrincipal.h:15:
[task 2022-05-19T00:09:52.671Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:183:40: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -    void GetReadyPromise(JSContext* aCx, JS::MutableHandleObject aResult) const;
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                         ^~~~~~~~~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.671Z] 00:09:52     INFO -                                         JS::MutableHandle<JSObject*>
[task 2022-05-19T00:09:52.672Z] 00:09:52  WARNING -  /builds/worker/workspace/obj-build/dist/include/mozilla/extensions/WebExtensionPolicy.h:221:32: warning: The fully qualified types are preferred over the shorthand typedefs for JS::Handle/JS::Rooted types outside SpiderMonkey.
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -                                 JS::HandleObject aGivenProto) override;
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -                                 ^~~~~~~~~~~~~~~~
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -                                 JS::Handle<JSObject*>
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -  6 warnings and 2 errors generated.
[task 2022-05-19T00:09:52.672Z] 00:09:52    ERROR -  gmake[4]: *** [/builds/worker/checkouts/gecko/config/rules.mk:660: nsScriptSecurityManager.o] Error 1
[task 2022-05-19T00:09:52.672Z] 00:09:52     INFO -  gmake[4]: Leaving directory '/builds/worker/workspace/obj-build/caps'
[task 2022-05-19T00:09:52.673Z] 00:09:52    ERROR -  gmake[3]: *** [/builds/worker/checkouts/gecko/config/recurse.mk:72: caps/target-objects] Error 2
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  gmake[3]: *** Waiting for unfinished jobs....
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  gmake[4]: Entering directory '/builds/worker/workspace/obj-build/docshell/shistory'
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  docshell/shistory/SessionHistoryEntry.o
[task 2022-05-19T00:09:52.673Z] 00:09:52     INFO -  gmake[4]: Leaving directory '/builds/worker/workspace/obj-build/docshell/shistory'
[task 2022-05-19T00:09:52.807Z] 00:09:52     INFO -  gmake[4]: Entering directory '/builds/worker/workspace/obj-build/accessible/xul'

https://hg.mozilla.org/mozilla-central/rev/e1658a2c0baf
https://hg.mozilla.org/mozilla-central/rev/5e08ab4006df
https://hg.mozilla.org/mozilla-central/rev/f7f0363c1875
https://hg.mozilla.org/mozilla-central/rev/9ecb32826850
https://hg.mozilla.org/mozilla-central/rev/94ca7dad5199
https://hg.mozilla.org/mozilla-central/rev/e0600a5f234b

Release Note Request (optional, but appreciated)
[Why is this notable]: We now support the Content-Security-Policy (CSP) directive 'wasm-unsafe-eval'. This means existing webpages that have strict CSP might now block WebAssembly from executing.
[Affects Firefox for Android]: Yes
[Suggested wording]: (suggestions welcome) Similar to Why is this notable.
[Links (documentation, blog post, etc)]: (MDN isn't updated yet)

Is a relnote about this really optional? Some web pages could break, just as web extensions broke in bug 1770667 and bug 1770468 (fixed by not enforcing this feature for older addons for now; won't fix web pages). Not as much risk since Chrome has enforced this for a while, but we definitely need to warn people.

Suggested wording: Firefox now supports the Content-Security-Policy (CSP) integration with WebAssembly. A document with a CSP that restricts scripts will no longer execute WebAssembly unless the CSP uses either the new 'wasm-unsafe-eval' or existing 'unsafe-eval' keyword.

I added the note to Firefox Beta/Release notes.

FYI marked as dev-doc-complete because associated work appears to have been done in https://github.com/mdn/content/issues/17619