Add wasm-unsafe-eval to CSP (mdn#16943)

* Add wasm-unsafe-eval to CSP

* Apply suggestions from review

Co-authored-by: Rob Wu <[email protected]>

* Feedback updates

* Added missing space

* Apply suggestions from review

Co-authored-by: Rob Wu <[email protected]>

* Minor fixes

* Apply suggestions from review

Co-authored-by: Rob Wu <[email protected]>

Co-authored-by: Rob Wu <[email protected]>

files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md

@@ -54,11 +54,12 @@ The default content security policy for extensions is:
 "script-src 'self'; object-src 'self';"
 ```
 
-This will be applied to any extension that has not explicitly set its own content security policy using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key. It has the following consequences:
+These policies are applied to any extension that has not explicitly set its own content security policy using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key. It has the following consequences:
 
 - [You may only load \<script> and \<object> resources that are local to the extension.](#location_of_script_and_object_resources)
-- [The extension is not allowed to evaluate strings as JavaScript.](</en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#eval()_and_friends>)
+- [The extension is not allowed to evaluate strings as JavaScript.](#eval_and_friends)
 - [Inline JavaScript is not executed.](#inline_javascript)
+- [WebAssembly cannot be used by default.](#webassembly)
 
 ### Location of script and object resources
 
@@ -68,14 +69,14 @@ Under the default CSP you may only load [\<script>](/en-US/docs/Web/HTML/Element
  <script src="https://code.jquery.com/jquery-2.2.4.js"></script>
 ```
 
-This will no longer load the requested resource: it will fail silently, and any object which you expected to be present from the resource will not be found. There are two main solutions to this:
+This doesn't load the requested resource: it fails silently, and any object that you expect to be present from the resource is not found. There are two main solutions to this:
 
 - download the resource, package it in your extension, and refer to this version of the resource
-- use the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key or in Manifest V3 the `content_scripts` property, to allow the remote origin you need.
+- allow the remote origin you need using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key or, in Manifest V3, the `content_scripts` property.
 
 ### eval() and friends
 
-Under the default CSP extensions are not allowed to evaluate strings as JavaScript. This means that the following are not permitted:
+Under the default CSP, extensions cannot evaluate strings as JavaScript. This means that the following are not permitted:
 
 ```js
 eval("console.log('some output');");
@@ -91,7 +92,7 @@ let f = new Function("console.log('foo');");
 
 ### Inline JavaScript
 
-Under the default CSP inline JavaScript is not executed. This disallows both JavaScript placed directly in `<script>` tags and inline event handlers, meaning that the following are not permitted:
+Under the default CSP, inline JavaScript is not executed. This disallows both JavaScript placed directly in `<script>` tags and inline event handlers, meaning that the following are not permitted:
 
 ```html
 <script>console.log("foo");</script>
@@ -102,3 +103,13 @@ Under the default CSP inline JavaScript is not executed. This disallows both Jav
 ```
 
 If you are currently using code like `<body onload="main()">` to run your script when the page has loaded, listen for [DOMContentLoaded](/en-US/docs/Web/API/Window/DOMContentLoaded_event) or [load](/en-US/docs/Web/API/Window/load_event) instead.
+
+### WebAssembly
+
+Extensions wishing to use [WebAssembly](/en-US/docs/WebAssembly) require `'wasm-unsafe-eval'` to be specified in the `script-src` directive.
+
+From Firefox 102 and Chrome 103, `'wasm-unsafe-eval'` can be included in the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key to enable the use of WebAssembly in extensions.
+
+Manifest V2 extensions in Firefox can use WebAssembly without `'wasm-unsafe-eval'` in their CSP for backward compatibility. However, this behavior isn't guaranteed, see {{bug(1770909)}}. Extensions using WebAssembly are therefore encouraged to declare `'wasm-unsafe-eval'` in their CSP.
+
+For Chrome, extensions cannot use WebAssembly in version 101 or earlier. In 102, extensions can use WebAssembly (the same behavior as Firefox 101 and earlier). From version 103, extensions can use WebAssembly if they include `'wasm-unsafe-eval'` in the `content_security_policy` in the manifest key.

files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md

@@ -41,9 +41,10 @@ You can use the `"content_security_policy"` manifest key to loosen or tighten th
 For example, you can use this key to:
 
 - Allow the extension to load scripts and objects from outside its package, by supplying their URL in the {{CSP("script-src")}} or {{CSP("object-src")}} directives.
-- Allow the extension to execute inline scripts, by [supplying the hash of the script in the `"script-src"` directive](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script).
+- Allow the extension to execute inline scripts, by [supplying the hash of the script in the `script-src` directive](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script).
 - Allow the extension to use `eval()` and similar features, by including `'unsafe-eval'` in the {{CSP("script-src")}} directive.
 - Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate [policy directive](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
+- Allow the extension to take advantage of [WebAssembly](/en-US/docs/WebAssembly) by including the `'wasm-unsafe-eval'` source in the `script-src` directive.
 
 There are restrictions on the policy you can specify here:
 
@@ -200,6 +201,23 @@ Keep the rest of the policy, but also require that images should be packaged wit
 } 
 ```
 
+Enable the use of [WebAssembly](/en-US/docs/WebAssembly):
+
+**Manifest V2**
+
+For backward compatibility, Manifest V2 extensions can use WebAssembly without the use of `'wasm-unsafe-eval'`. However, if the extension uses WebAssembly, the inclusion of `'wasm-unsafe-eval'` is recommended. See [WebAssembly](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#webassembly) on the Content Security Policy page for more information.
+
+```json
+"content_security_policy": "script-src 'self' 'wasm-unsafe-eval'"
+```
+
+**Manifest V3**
+
+```json
+"content_security_policy": {
+  "extension_page": "script-src 'self' 'wasm-unsafe-eval'"
+} 
+
 ### Invalid examples
 
 Policy that omits the `"object-src"` directive:

files/en-us/mozilla/firefox/releases/102/index.md

@@ -61,6 +61,7 @@ This article provides information about the changes in Firefox 102 that will aff
 ## Changes for add-on developers
 
 - The {{WebExtAPIRef("scripting")}} API, which provides features to execute script, insert and remove CSS, and manage the registration of content scripts is now available to Manifest V2 extensions ({{bug(1766615)}}).
+- With the introduction of support for the 'wasm-unsafe-eval' CSP keyword in Firefox ({{bug(1740263)}}), Manifest V3 extensions are now required to specify this keyword in the [content_security_policy](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest key to use [WebAssembly](/en-US/docs/WebAssembly). For backwards-compatibility, Manifest V2 extensions can still use WebAssembly without the keyword ({{bug(1766027)}}).
 
 #### Removals