Comments (3)
nicolo-ribaudo
commented on June 2, 2024
Yes, wasm modules imported through this proposal don't need wasm-unsafe-eval.
from esm-integration.
michaelficarra
commented on June 2, 2024
@nicolo-ribaudo Can you explain why this is safer than WebAssembly.compile/WebAssembly.instantiate? It seems that wasm modules imported through this proposal can import anything the importing module can. Couldn't that include data URIs which effectively allow arbitrary JavaScript code to be executed?
from esm-integration.
nicolo-ribaudo
commented on June 2, 2024
It is not safer, however it is possible to track where they come from because they are not "just some bytes".
Similar to JS, you would be able to say "only allow running Wasm modules loaded from my own domain or example.com" (i.e. script-src 'self' https://example.com/*).
unsafe-wasm-eval is an all-or-nothing choice: if you want to be able to run WebAssembly you cannot protect yourself from accidentally running WebAssembly loaded from an untrusted source.
from esm-integration.
Related Issues (20)
- Security concern when importing executable modules as non-executable data HOT 16
- Should WebAssembly be at the same "privilege level" as JS? HOT 8
- Integration with import assertions HOT 4
- Proposal: Higher Order ESM Integration HOT 19
- Incorrect behavior of function importing?
- What will it take for `<script type="module" src="foo.wasm">` to be useful? HOT 7
- Possible inconsistency in js<->wasm cycle example for value import
- CSP Support for ESM Integration HOT 2
- Extending Wasm JS API with module namespace reflection HOT 2
- Examples: why an error in the wasm<->JS cycle case for value exports? HOT 1
- Multiple imports of the same wasm file: same instance or different instances? HOT 7
- Tracking phase progress HOT 3
- Tracking progress of .wasm fetch HOT 1
- Should ESM integration provide Modules rather than Instances? HOT 10
- What happens when an async function is imported?
- function's result type without `return` HOT 1
- Does this proposal support `*` and `as` in wasm imports? HOT 5
- Relationship to the component model? HOT 5
- Proposal overview should include examples of `import source` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from esm-integration.