Possible to allow running inlined wasm just like JS despite CSP

[eugenesvk]

Update: it seems to be possible to resolve this by appending wasm-unsafe-eval to existing website's CSP, is this something Violentmonkey could do?

I'm successfully able to use your great extension to run a simple script that has inlined wasm module in it (with a rollup bundler that inlines the wasm and add the necessary JS glue code to run it), e.g., this gist has a module that only prints a line to console on 2 sites

But only on some websites. For example, the script above runs on example.com, but on github I get an error

CompileError: WebAssembly.instantiate(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src github.githubassets.com"

I don't understand why can run JS (so the extension is able to bypass whatever site script-src restrictions there are), but not WASM
And maybe this is some deep browser limitation since wasm is still a 2nd-class citizen, so it's not a VM's bug per se (so filing this as a general issue)

But maybe you know how to make wasm work in a way just like JS
Thank you!

I've found a bunch of issues #1436 related to loading wasm modules via URLs, but this isn't it, everything is inlined
Then I've also discovered some CSP-related issue #1001, but that's only Firefox.
From that converstation I've learned that TamperMonkey removes CSP, but then tried using the same script with it, and it failed with the same error :(

(also am using Chromium browser, not Firefox)

I've also tried setting wasm-unsafe-eval directive to the CSP via the CSP editing extension https://chrome.google.com/webstore/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj/related?hl=en-US, and this seems to be the way, but even that extension failed to work properly - for some reason there is no "append" functionality for CSPs, so I can either override it to allow running inlined wasm (this works) or manually append, neither of which is a feasible option

[tophf]

This is indeed caused by the site's CSP. Violentmonkey currently doesn't change it. We may enable it in the future although I don't think we will support WASM as it seems outside our scope. Try using an additional extension to patch the CSP header.

[eugenesvk]

Thanks for a prompt reponse!

I have tried to use an additional extension, the one you mentioned in one of the threads, but it wasn't up to the task as it replaced the whole thing, breaking native site's scripts :(
Tried its open source alternative Requestly, but surprisingly it also failed requestly/requestly#926

For now I've resolved to running via a convoluted process of converting wasm back to js, then it runs fine again

Would be nice if whenever you decide to patch CSP headers wasm could be added to scope since it's much nicer (at least in theory, in practice you get a lot of pain with issues like this one) to write user scripts in better languages than JS