From e5f359d63f16f0e0028dd144ac2a86b28ea652e0 Mon Sep 17 00:00:00 2001 From: rebloor Date: Sun, 12 Jun 2022 05:45:06 +1200 Subject: [PATCH] Add wasm-unsafe-eval to CSP (#16943) * Add wasm-unsafe-eval to CSP * Apply suggestions from review Co-authored-by: Rob Wu * Feedback updates * Added missing space * Apply suggestions from review Co-authored-by: Rob Wu * Minor fixes * Apply suggestions from review Co-authored-by: Rob Wu Co-authored-by: Rob Wu --- .../content_security_policy/index.md | 23 ++++++++++++++----- .../content_security_policy/index.md | 20 +++++++++++++++- .../mozilla/firefox/releases/102/index.md | 1 + 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md index 088f80be55224a1..95ed8744a4de7c6 100644 --- a/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md +++ b/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md @@ -54,11 +54,12 @@ The default content security policy for extensions is: "script-src 'self'; object-src 'self';" ``` -This will be applied to any extension that has not explicitly set its own content security policy using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key. It has the following consequences: +These policies are applied to any extension that has not explicitly set its own content security policy using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key. It has the following consequences: - [You may only load \ ``` -This will no longer load the requested resource: it will fail silently, and any object which you expected to be present from the resource will not be found. There are two main solutions to this: +This doesn't load the requested resource: it fails silently, and any object that you expect to be present from the resource is not found. There are two main solutions to this: - download the resource, package it in your extension, and refer to this version of the resource -- use the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key or in Manifest V3 the `content_scripts` property, to allow the remote origin you need. +- allow the remote origin you need using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key or, in Manifest V3, the `content_scripts` property. ### eval() and friends -Under the default CSP extensions are not allowed to evaluate strings as JavaScript. This means that the following are not permitted: +Under the default CSP, extensions cannot evaluate strings as JavaScript. This means that the following are not permitted: ```js eval("console.log('some output');"); @@ -91,7 +92,7 @@ let f = new Function("console.log('foo');"); ### Inline JavaScript -Under the default CSP inline JavaScript is not executed. This disallows both JavaScript placed directly in ` @@ -102,3 +103,13 @@ Under the default CSP inline JavaScript is not executed. This disallows both Jav ``` If you are currently using code like `` to run your script when the page has loaded, listen for [DOMContentLoaded](/en-US/docs/Web/API/Window/DOMContentLoaded_event) or [load](/en-US/docs/Web/API/Window/load_event) instead. + +### WebAssembly + +Extensions wishing to use [WebAssembly](/en-US/docs/WebAssembly) require `'wasm-unsafe-eval'` to be specified in the `script-src` directive. + +From Firefox 102 and Chrome 103, `'wasm-unsafe-eval'` can be included in the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key to enable the use of WebAssembly in extensions. + +Manifest V2 extensions in Firefox can use WebAssembly without `'wasm-unsafe-eval'` in their CSP for backward compatibility. However, this behavior isn't guaranteed, see {{bug(1770909)}}. Extensions using WebAssembly are therefore encouraged to declare `'wasm-unsafe-eval'` in their CSP. + +For Chrome, extensions cannot use WebAssembly in version 101 or earlier. In 102, extensions can use WebAssembly (the same behavior as Firefox 101 and earlier). From version 103, extensions can use WebAssembly if they include `'wasm-unsafe-eval'` in the `content_security_policy` in the manifest key. \ No newline at end of file diff --git a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md index 63442b83fca52a9..37aa36ac825d802 100644 --- a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md +++ b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md @@ -41,9 +41,10 @@ You can use the `"content_security_policy"` manifest key to loosen or tighten th For example, you can use this key to: - Allow the extension to load scripts and objects from outside its package, by supplying their URL in the {{CSP("script-src")}} or {{CSP("object-src")}} directives. -- Allow the extension to execute inline scripts, by [supplying the hash of the script in the `"script-src"` directive](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script). +- Allow the extension to execute inline scripts, by [supplying the hash of the script in the `script-src` directive](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script). - Allow the extension to use `eval()` and similar features, by including `'unsafe-eval'` in the {{CSP("script-src")}} directive. - Restrict permitted sources for other types of content, such as images and stylesheets, using the appropriate [policy directive](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). +- Allow the extension to take advantage of [WebAssembly](/en-US/docs/WebAssembly) by including the `'wasm-unsafe-eval'` source in the `script-src` directive. There are restrictions on the policy you can specify here: @@ -200,6 +201,23 @@ Keep the rest of the policy, but also require that images should be packaged wit } ``` +Enable the use of [WebAssembly](/en-US/docs/WebAssembly): + +**Manifest V2** + +For backward compatibility, Manifest V2 extensions can use WebAssembly without the use of `'wasm-unsafe-eval'`. However, if the extension uses WebAssembly, the inclusion of `'wasm-unsafe-eval'` is recommended. See [WebAssembly](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#webassembly) on the Content Security Policy page for more information. + +```json +"content_security_policy": "script-src 'self' 'wasm-unsafe-eval'" +``` + +**Manifest V3** + +```json +"content_security_policy": { + "extension_page": "script-src 'self' 'wasm-unsafe-eval'" +} + ### Invalid examples Policy that omits the `"object-src"` directive: diff --git a/files/en-us/mozilla/firefox/releases/102/index.md b/files/en-us/mozilla/firefox/releases/102/index.md index 4f92ad4bcfb3b96..1c7ff12a70a286b 100644 --- a/files/en-us/mozilla/firefox/releases/102/index.md +++ b/files/en-us/mozilla/firefox/releases/102/index.md @@ -61,6 +61,7 @@ This article provides information about the changes in Firefox 102 that will aff ## Changes for add-on developers - The {{WebExtAPIRef("scripting")}} API, which provides features to execute script, insert and remove CSS, and manage the registration of content scripts is now available to Manifest V2 extensions ({{bug(1766615)}}). +- With the introduction of support for the 'wasm-unsafe-eval' CSP keyword in Firefox ({{bug(1740263)}}), Manifest V3 extensions are now required to specify this keyword in the [content_security_policy](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest key to use [WebAssembly](/en-US/docs/WebAssembly). For backwards-compatibility, Manifest V2 extensions can still use WebAssembly without the keyword ({{bug(1766027)}}). #### Removals