Skip to content

Merge CSP into main#2198

Open
fgmccabe wants to merge 83 commits into
mainfrom
csp
Open

Merge CSP into main#2198
fgmccabe wants to merge 83 commits into
mainfrom
csp

Conversation

@fgmccabe

@fgmccabe fgmccabe commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

This (should) reflect changes needed to incorporate phase 4 csp.

This should probably NOT just be merged, as the change seems to include notes that might not normally be part of the spec.

flagxor and others added 30 commits November 1, 2017 10:12
@flagxor
Adding CSP proposal.
eee3f9b
@flagxor
Update README.
d69bc5d
@eholk
Provide background on CSP threat model and use cases
7aa2d37 
Issue #1
@flagxor
Add table detailing combinations.
14755e6
@eholk
Merge pull request #6 from eholk/threat-model
0487ca8 
Provide background on CSP threat model and use cases
@eholk
Summarize API behavior and threats relative to CSP
ed2c962
@eholk
Fix typos
21342e3
@eholk
Reaffirm out of scope risks
0659dc5
@eholk
Merge branch 'master' of github.com:WebAssembly/spec into merge-master
60c71ca
@eholk
Pull in latest changes from WebAssembly/spec repo
05341cd 
Pull in latest changes from WebAssembly/spec repo
@eholk
Starting to define abstract operation hooks
7d3b908
@eholk
Add HostEnsureCanCompileWasmBytes hook for CSP
d2caac3
@eholk
Add HostEnsureCanCompileWasmResponse for interacting with CSP
e22a366
@eholk
Delete spurious newline
87945e9
Add table entries for instantiation
3eef43b
Reword paragraph about CSP threat model
529968a
Merge branch 'master' into threat-summary
0acfec0
Rename \'wasm-eval\' to \'wasm-unsafe-eval\'
60bbf51
Remove reference to mimetype hardening
fca6045
Always allow WebAssembly.validate()
55eae1b
Merge pull request #17 from WebAssembly/rename_wasm_eval
fe0e372 
Rename 'wasm-eval' to 'wasm-unsafe-eval' Fixes #15.
Merge pull request #18 from WebAssembly/remove_mime_type
53f60d4 
Remove reference to mimetype hardening
Rework final table for clarity
86a899f
Merge pull request #20 from WebAssembly/allow_validate
f1cb729 
Always allow WebAssembly.validate()
Fix table
8fd4402
Add note about unsafe-eval implying wasm-unsafe-eval
e822b29
Merge branch 'master' into rework_final_table
edb4502
Merge pull request #21 from WebAssembly/rework_final_table
0c9bce3 
Rework final table for clarity
Merge pull request #16 from WebAssembly/threat-summary
57b7b52 
Summarize API behavior and threats relative to CSP
@technohippy
fix typo
ca8a1b3
fgmccabe and others added 27 commits March 24, 2022 16:45
@fgmccabe
Fixed up bikeshed errors
76c7781
@ngzhian @fgmccabe
[spec] Fix missing mention of vectype (#1436)
e15864d 
Fixed #1435.
@keithw @fgmccabe
[spec] Fix single-table limitation in module instantiation (#1434)
74381a7
@keithw @fgmccabe
[spec] Fix missing immediate on table.set (#1441)
a5bd4b9
@codefromthecrypt @fgmccabe
[docs] Update syntax in examples (#1442)
0121c84
@rossberg @fgmccabe
Clarification in proposals README
be2489e
@rossberg @fgmccabe
[interpreter] Tweak start section AST to match spec
e190ac3
@rossberg @fgmccabe
[spec] Bump release to 2 (#1443)
7e64d2c 
At yesterday's WG meeting, we decided to make a new release, now switching to the Evergreen model. For administrative and technical reasons having to do with W3C procedure, we decided to bump the release number to 2.

From now on, the standard will iterate at version 2 from the W3C's official perspective. We use minor release numbers internally to distinguish different iterations.

(@ericprud, I hope I understood correctly that the Bikeshed "level" also needed to be bumped to 2.)
@eholk @fgmccabe
Starting to define abstract operation hooks
7bcf319
@eholk @fgmccabe
Add HostEnsureCanCompileWasmBytes hook for CSP
13fcaec
@fgmccabe
Revised and simplified note
c3996e8
@fgmccabe
Changed wasm-eval to wasm-unsafe-eval
9247d8d
@fgmccabe
Removed funny dangling entry
31ede6b
@fgmccabe
Ensure compile as well as compile streaming guarded
c274959
@fgmccabe
Remove duplicate text
2746eae
@fgmccabe
Merge pull request #41 from WebAssembly/curfuffle
dd75e5b 
Curfuffle
@fgmccabe
Merge remote-tracking branch 'upstream/main' into curfuffle
ed5df37
@fgmccabe
Take out use of HostEnsureCanCompileWasmBytes from web-api
011ae57 
Redundant: already covered in js-api
@fgmccabe
Merge remote-tracking branch 'upstream/wasm-3.0' into curfuffle
63f01a2
@fgmccabe
Merge pull request #45 from WebAssembly/curfuffle
cfa8673 
Merge from upstream wasm 3.0
@fgmccabe
Drop some spaces
04b0388
@fgmccabe
Drop more spaces
9f09100
@fgmccabe
Add back section on implementation defined operations
7c1478f
@fgmccabe
Remove bytes argument from HostEnsureCanCompileWasmBytes
2b81a76
@fgmccabe
Fixed markdown indentation error
48feb4b
@fgmccabe
Remove reference to HostEnsureWasmCanCompile
893da3b 
Not needed in web-api spec.
@fgmccabe
Merge remote-tracking branch 'upstream/main'
284adaf
tlively
tlively reviewed Jun 23, 2026
View reviewed changes

@tlively tlively left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there expected to be any tests here?

Comment thread document/web-api/index.bs

@tlively tlively Jun 23, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the deletions here expected? It seems it would be better to edit the "Security and Privacy Considerations" section rather than remove it.

rossberg
rossberg reviewed Jun 23, 2026
View reviewed changes
Comment thread README.md Outdated
[![CI for specs](https://github.com/WebAssembly/spec/actions/workflows/ci-spec.yml/badge.svg)](https://github.com/WebAssembly/spec/actions/workflows/ci-spec.yml)
[![CI for interpreter & tests](https://github.com/WebAssembly/spec/actions/workflows/ci-interpreter.yml/badge.svg)](https://github.com/WebAssembly/spec/actions/workflows/ci-interpreter.yml)

# Content Security Policy Proposal for WebAssembly

@rossberg rossberg Jun 23, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll want to undo the changes to the README.

@fgmccabe
Update README to remove CSP proposal details
8227401 
Removed the Content Security Policy proposal section from the README.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rossberg rossberg rossberg left review comments
@tlively tlively tlively left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@fgmccabe @rossberg @tlively @flagxor @eholk @technohippy @ngzhian @keithw @codefromthecrypt