fix(csp): allow WebAssembly instantiation via wasm-unsafe-eval
Build and Deploy Verso / deploy (push) Successful in 11m54s
Build and Deploy Verso / deploy (push) Successful in 11m54s
WebAssembly.instantiateStreaming() requires 'wasm-unsafe-eval' in the script-src CSP directive. Unlike 'unsafe-eval', this only permits WASM compilation and does not allow arbitrary eval() calls. Needed for the typst.ts WASM preview (both compiler and renderer). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
claude
@@ -85,7 +85,7 @@ const buildViewPolicy = (
|
|||||||
viewDirectives
|
viewDirectives
|
||||||
) => {
|
) => {
|
||||||
const directives = [
|
const directives = [
|
||||||
`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`, // only allow scripts from certain sources
|
`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' 'wasm-unsafe-eval' https: 'report-sample'`, // only allow scripts from certain sources
|
||||||
`object-src 'none'`, // forbid loading an "object" element
|
`object-src 'none'`, // forbid loading an "object" element
|
||||||
`base-uri 'none'`, // forbid setting a "base" element
|
`base-uri 'none'`, // forbid setting a "base" element
|
||||||
...(viewDirectives ?? []),
|
...(viewDirectives ?? []),
|
||||||
|
|||||||
Reference in New Issue
Block a user