Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blob: worker fails CSP #374

Open
alexgleason opened this issue Nov 23, 2023 · 2 comments
Open

blob: worker fails CSP #374

alexgleason opened this issue Nov 23, 2023 · 2 comments

Comments

@alexgleason
Copy link 

wasmboy.wasm.esm.js:134 Refused to create a worker from 'blob:https://gleasonator.com/7fd7fb97-2f5a-42df-b539-ba71f49485b4' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

kU @ wasmboy.wasm.esm.js:134
wasmboy.wasm.esm.js:134 Uncaught (in promise) DOMException: Failed to construct 'Worker': Access to the script at 'blob:https://gleasonator.com/7fd7fb97-2f5a-42df-b539-ba71f49485b4' is denied by the document's Content Security Policy.
    at new kU (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:58240)
    at vF (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:59067)
    at https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:356221
    at jF._instantiateWorkers (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:356274)
    at jF.uF (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:326936)
    at https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:328430
    at async J (https://gleasonator.com/packs/js/gameboy-9e86e7af.js:8:366438)

Seems like the worker is being loaded as a blob URI. To get around it, I need to add worker-src blob: to my CSP, which I'm not sure I want to do. I wonder if we can load it from a regular URL.
@alexgleason
Copy link
Author

I ended up adding blob: to script-src in my CSP, now hitting this:

Refused to connect to 'data:application/wasm;base64,AGFzbQEAAAABfRBgAAF/YAF/AX9gAX8AYAAAYAJ/fwF/YAJ/fwBgA39/fwBgBn9/f39/fwBgBH9/f38AYAd/f39/f39/AGAIf39/f39/f38AYAp/f39/f39/f39/AGADf39/AX9gBH9/f38Bf2AFf39/f38Bf2ANf39/f39/f39/f39/fwF/Ag0BA2VudgVhYm9ydAAIA5YBlAEFBQYABAYMBAECAQMCAgMDAwsAAwMDAwMDAwMAAAAADgQPCQcHBQICAwEBAQEBDQICAwEAAQEFAwICAgIEAgICAgQFBgQDAgICAAUGAQEBAQEBAQECAgECAgEBAgEBAQEBAQEBAgAAAAEAAQAAAAIKAgMCAwIDAAAAAAAAAAAAAAAAAAAAAAIDAwAAAAADAwMCAQQCBQMBAAEG3guYAn8BQQALfwFBAAt/AEEAC38AQYAIC38AQYAIC38AQYAIC38AQYAQC38AQYCAAQt/AE...ESEAAACyAAIAAoAgBBAXI2AgAjACAAEAIFIAFBAE0EQEEAQYAJQYgBQRAQAAALIAAgAUEBayACQYCAgIB/cXI2AgQLCxwAAkACQAJAI5cCDgIBAgALAAtBACEACyAAEGkLHQACQAJAAkAjlwIOAwEBAgALAAtBfyEBCyABEGkLBwAgACSXAgsLvwEEAEGACAstHgAAAAEAAAABAAAAHgAAAH4AbABpAGIALwByAHQALwB0AGwAcwBmAC4AdABzAEGwCAs3KAAAAAEAAAABAAAAKAAAAGEAbABsAG8AYwBhAHQAaQBvAG4AIAB0AG8AbwAgAGwAYQByAGcAZQBB8AgLLR4AAAABAAAAAQAAAB4AAAB+AGwAaQBiAC8AcgB0AC8AcAB1AHIAZQAuAHQAcwBBoAkLFQMAAAAgAAAAAAAAACAAAAAAAAAAIAAzEHNvdXJjZU1hcHBpbmdVUkwhY29yZS9kaXN0L2NvcmUudW50b3VjaGVkLndhc20ubWFw' because it violates the following Content Security Policy directive: "connect-src 'self' blob: https://gleasonator.com wss://gleasonator.com *.tile.openstreetmap.org https://media.gleasonator.com https://proxy.gleasonator.com https://o4505999744499712.ingest.sentry.io".

I @ 2403046c-dc53-4b5b-b00e-2523a87a3616:22

This library should be refactored to not rely on data URIs like this.

@alexgleason
Copy link
Author

I ended up creating a fork to change the rollup build so wasmboy will fit within my strict CSP: https://gitlab.com/soapbox-pub/wasmboy

And now it's possible to play Game Boy games on Mastodon: https://gleasonator.com/@alex/posts/Ac5HNKguMNj8AkmF0a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexgleason