Comments (8)
I was mistaken. Manifest v2 used wasm-eval. That's been removed. Now you can use 'wasm-unsafe-eval' in manifest v3.
However, ideally this lib wouldn't require it.
from virgil-crypto-javascript.
This shouldn't be closed. It's a security risk in the libs to use those methods then deploy to a website or chrome extension.
from virgil-crypto-javascript.
This library is based on wasm, you do understand that?
from virgil-crypto-javascript.
Yes. wasm-eval and wasm-unsafe-eval are not required in order to execute wasm. They're only required when the underlying wasm library makes unsafe calls.
from virgil-crypto-javascript.
we never intended to support google chrome extensions anyway
from virgil-crypto-javascript.
It's still a security risk when used in a browser. Seems really odd a security company is fighting this...? I mean if I'm wrong in some way thats one thing. But from my understanding the "eval" like functions allow arbitrary code to be run.
from virgil-crypto-javascript.
It's an open source project, you are welcome to make a PR.
If you can prove that it's actually a security issue and arbitrary code can actually be run, then please do. Otherwise let's not waste everyone's time
from virgil-crypto-javascript.
Based on the WebAssembly Sandbox, as described at https://github.com/WebAssembly/content-security-policy/blob/4c61db828b4a0739e4500e8d42d0ec85ef05505a/proposals/CSP.md#the-wasm-unsafe-eval-source-directive/ it seems the risk is small. I was a little thrown by the use of the words unsafe
and eval
.
Here's why I believe they're used, and it seems necessary to use them as there aren't alternatives yet. As described at https://developer.mozilla.org/en-US/docs/WebAssembly/Loading_and_running:
WebAssembly is not yet integrated with <script type='module'> or import statements, thus there is not a path to have the browser fetch modules for you using imports.
The older WebAssembly.compile/WebAssembly.instantiate methods require you to create an ArrayBuffer containing your WebAssembly module binary after fetching the raw bytes, and then compile/instantiate it. **This is analogous to new Function(string), except that we are substituting a string of characters (JavaScript source code) with an array buffer of bytes (WebAssembly source code).**
The bit in bold indicates the relation between the compile/instantiate calls and new Function(string). The eval
word is used in CSP because of this relation. The same security risks that apply to "new Function(string)" or "eval()" in javascript apply to Wasm Instantiate calls, however wasms sandbox may help reduce risk. In short, arbitrary/dynamic remote code execution is possible. However, at this time that's the only way to load wasm modules. There is a risk--but nothing can be done about it if you want to use web assembly.
Having this understanding, and being able to explain it is not a waste of time. User's shouldn't be throwing 'unsafe' and 'eval' words into their CSP without understanding what the security impact of doing so is. wasm-unsafe-eval
is not limited to Chrome Extensions in scope. It applies to the entire web.
Whether the ticket stays opened or closed is up to you. There's nothing to do about it for now.
from virgil-crypto-javascript.
Related Issues (20)
- Missing and invalid compilation of virgil_js.node HOT 2
- Document is not defined HOT 1
- Use of eval causes security error in Electron HOT 6
- [React Native] Can't find variable: self HOT 6
- How to import ed25519 keys? HOT 3
- How to compile for node 8.10? HOT 5
- [React Native] Virgil Crypto slow performance with large number of messages HOT 34
- [React Native] No dynCall invoker for signature HOT 3
- Failed to download Virgil Crypto Node.js Addon - which node version is supported by virgil-crypto? HOT 3
- Problem with generating tokens HOT 4
- React native javascript bundle build error
- e3kit-node using this in electron v8.3.0 HOT 1
- Catches uncaught exceptions
- [v5.0.0] Error: Cannot find module '@virgilsecuritycore-foundationode.cjs.js' HOT 6
- Unit Testing with Jest -- FoundationError: One of the entropy sources failed.
- initCrypto() causes Nest.JS app crash and exit the container with a huge error in the container logs HOT 1
- Update webpack example for v5 HOT 1
- Steps to use this library for RSA and AES Encryption and decryption
- [Angular] Build error on Angular v16 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from virgil-crypto-javascript.