It seems the proposal may help to run browser extensions w/o CSP wasm-unsafe-eval, WDYT?

[bashor]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution

[nicolo-ribaudo]

Yes, wasm modules imported through this proposal don't need wasm-unsafe-eval.

[michaelficarra]

@nicolo-ribaudo Can you explain why this is safer than WebAssembly.compile/WebAssembly.instantiate? It seems that wasm modules imported through this proposal can import anything the importing module can. Couldn't that include data URIs which effectively allow arbitrary JavaScript code to be executed?

[nicolo-ribaudo]

It is not safer, however it is possible to track where they come from because they are not "just some bytes".

Similar to JS, you would be able to say "only allow running Wasm modules loaded from my own domain or example.com" (i.e. script-src 'self' https://example.com/*).

unsafe-wasm-eval is an all-or-nothing choice: if you want to be able to run WebAssembly you cannot protect yourself from accidentally running WebAssembly loaded from an untrusted source.