CSP wasm-unsafe-eval directive is not enforced during WebAssembly byte compilation
4003087
CSP's wasm-unsafe-eval gates whether a browsing context may compile and execute WebAssembly. WebKit implemented the gate through globalObject->webAssemblyEnabled() — but the call appeared only in JSWebAssemblyInstance::tryCreate() (instantiation), not at the compilation stage. A WebAssembly.Module is structured-cloneable per spec, so an attacker could compile in a context that bypasses the check, postMessage the Module to a same-origin Worker, and instantiate there — defeating the policy entirely.
+ if (!globalObject->webAssemblyEnabled())
+ return JSValue::encode(throwException(globalObject, throwScope,
+ createEvalError(globalObject, globalObject->webAssemblyDisabledErrorMessage())));
The check is added to WebAssembly.compile(), new WebAssembly.Module(), WebAssembly.compileStreaming(), and WebAssembly.instantiateStreaming(). Each rejects with CompileError before bytecode parsing or network fetch begins. Two long-open FIXMEs (bugs 173977 and 173105) are removed.
Significance
Closes a real CSP bypass that had been latent since the streaming APIs were introduced — wasm-unsafe-eval now blocks Module construction itself, not just instantiation.
Audit directions
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaa Aaaaaa a Aaaaaa Aaaaa Aaaaaa Aaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaaa Aaa Aaaa Aaaaaaa a Aaaaaaaaaa Aaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaa Aaa Aaaaaa Aaaaa Aaaaaaa a Aaaaa Aaaaaaaa Aaaaaaaaa Aaa Aaaaaaaa Aaaaaaa Aaa Aaa Aaaaaaa a Aaaaaaa Aaaaaaa a Aaaaaaaa Aaa Aaaaa Aaaaaaa Aaaa a Aaaaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaa Aa Aaaaaaa Aa a Aaaaaa Aaaa Aaaa Aaaa Aaaaaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaaaa Aa Aaaaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaa Aaaaa Aaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa a Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaa Aaaaaaa
🔒The new check placement across worker types and streaming redirect paths raises several edge cases worth security investigation.
Subscribe to read more