If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).
Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.
To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* Deprecate our default CSP
* Add strict CSP that is always our strictest setting
* Add strict eval CSP (disable unsafe-eval)
* Add strict inline CSP (disables inline styles)
This is just to move forward and have a incremental improvement of our
CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Andy Scherzinger
Daniel Calviño Sánchez
Joas Schilling
John Molakvoæ (skjnldsv)
Julius Härtl
Christoph Wurst
Roeland Jago Douma