wasm-crypto not loading in environments where wasm-unsafe-eval CSP is not allowed

[krhougs]

TL;DR

Please change current dynamic loading codes to simply import wasmBytes from "path/to.wasm" in the production bundle to make the library work in secure environments.

I am trying to sign payloads within a Cloudflare Worker. The runtime refuses loading the wasm bytes in memory since the CSP policy wasm-unsafe-eval is not allowed in the runtime. After some research, I found that this affects multiple scenarios:

• Electron where dynamic evaluating is blocked by default
• Browser environments that blocks wasm-unsafe-eval explicitly
• Node.js environments that blocks wasm-unsafe-eval explicitly

I appreciate the current dynamic façon to keep the bundle tiny in size, but it won't work in some secure environments.

Some reading: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md

Expected: the library should load
Current: FATAL: Unable to initialize @polkadot/wasm-crypto:: WebAssembly.instantiate(): Wasm code generation disallowed by embedder

This happens in ANY Environment where wasm-unsafe-eval is not allowed

• Environment:

  • Node.js
  • Browser
  • Other (limited support for other environments)

[uno-b]

I'm creating an extension and having the same problem. Defining "wasm-unsafe-eval" in my Manifest.v2 fixes my problem, but not in Manifest.v3 because of the security changes. So it's only a temporary solution.

[krhougs]

@jacogr