fix(csp): allow WebAssembly instantiation via wasm-unsafe-eval
Build and Deploy Verso / deploy (push) Successful in 11m54s
Build and Deploy Verso / deploy (push) Successful in 11m54s
WebAssembly.instantiateStreaming() requires 'wasm-unsafe-eval' in the script-src CSP directive. Unlike 'unsafe-eval', this only permits WASM compilation and does not allow arbitrary eval() calls. Needed for the typst.ts WASM preview (both compiler and renderer). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
claude
@@ -85,7 +85,7 @@ const buildViewPolicy = (
|
||||
viewDirectives
|
||||
) => {
|
||||
const directives = [
|
||||
`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`, // only allow scripts from certain sources
|
||||
`script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' 'wasm-unsafe-eval' https: 'report-sample'`, // only allow scripts from certain sources
|
||||
`object-src 'none'`, // forbid loading an "object" element
|
||||
`base-uri 'none'`, // forbid setting a "base" element
|
||||
...(viewDirectives ?? []),
|
||||
|
||||
Reference in New Issue
Block a user