🛤 Web Content Security Policy

[binji]

This is a tracking issue for a post-MVP feature
It will be updated as the issue progresses.

Topic Content Security Policy
Champion none
Status in progress
Phase Feature proposal
Linked issues WebAssembly/design#1092 WebAssembly/design#205 WebAssembly/design#972
Linked repositories github.com/WebAssembly/content-security-policy

Details

Details

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.

In the context of WebAssembly, CSP can:

• Forbid usage of WebAssembly for developers who opted in to CSP before WebAssembly existed.
• Allow finer-grained control of JavaScript restrictions (including unsafe-eval) versus WebAssembly using new CSP mechanisms.

References:

• MDN description of CSP
• @jfbastien has a first proposal covering CSP as implemented in WebKit.
• This was discussed in the 08-08 video call. A poll encouraged @flagxor to work on this.
• Some folks mentioned Sub-Resource Integrity along with CSP.

[sunfishcode]

Closing as discussed in WebAssembly/design#1534. As of WebAssembly/meetings#561, the CG no longer uses tracking issues to track proposals. See the proposals repo README.md to track the status of proposals.