The following issue mentions Chrome, but the same applies to Safari: https://github.com/WebAssembly/content-security-policy/issues/7 It's impossible to use wasm in Safari without the `unsafe-eval` directive. This proposal describes a new directive, `wasm-unsafe-eval`, that would allow executing arbitrary wasm code without having to also allow JS eval(): https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md Chrome has the following issue open to support that directive: https://bugs.chromium.org/p/chromium/issues/detail?id=948834 We would prefer to use the stream APIs with proper CSP support, but WK does not yet even have the stream functions: https://bugs.webkit.org/show_bug.cgi?id=173105 Given that and the fact that Chrome has the stream functions but not proper CSP support (https://bugs.chromium.org/p/chromium/issues/detail?id=961485), an acceptable alternative for now would be to support `wasm-unsafe-eval` in the `script-src` directive. Note that Firefox and Edge allow wasm compilation and execution without any change to the CSP whatsoever. That behavior is effectively the same as adding `wasm-unsafe-eval` automatically. We aren't advocating that position either and would prefer to see those browsers disable wasm unless `wasm-unsafe-eval` is present or an acceptable SRI hash or origin is present.