| 00:05 | <bakkot> | I think the spec is actually fine on this front for import source foo from "foo.wasm" |
| 00:07 | <bakkot> | ES calls HostLoadImportedModule as defined in HTML, which does a fetch with destination "script", which triggers the script-src-elem pre-request check in CSP (why "elem"? ehhhhhhhhhhh), which will cause either script-src-elem, script-src, or default-src to apply (the first of those which is present) |
| 00:07 | <bakkot> | I assume the intention is that if this check passes then the module is allowed to run |
| 00:10 | <bakkot> | where "this check" means "the governing CSP directive lists the script's URL as an allowed host source" or (I think?) "there is an allowed hash source in the import map" as of https://github.com/whatwg/html/pull/10269 |
| 00:11 | <bakkot> | note that this is not how it works for webassembly outside of ESM integration; WebAssembly.instantiateStreaming is (empirically; this is not specified afaict) governed only by the unsafe-eval or unsafe-wasm-eval source expressions even when loading a wasm script from an allowed source, never by host or hash sources |
| 00:11 | <bakkot> | (which is dumb but whatever I guess) |
| 00:16 | <bakkot> | looks like there's a WPT for <script type="module" src="./resources/execute-start.wasm"></script> but not for import source |