The following issue mentions Chrome, but the same applies to Safari: https://github.com/WebAssembly/content-security-policy/issues/7
It's impossible to use wasm in Safari without the `unsafe-eval` directive. This proposal describes a new directive, `wasm-unsafe-eval`, that would allow executing arbitrary wasm code without having to also allow JS eval(): https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md
Chrome has the following issue open to support that directive: https://bugs.chromium.org/p/chromium/issues/detail?id=948834
We would prefer to use the stream APIs with proper CSP support, but WK does not yet even have the stream functions: https://bugs.webkit.org/show_bug.cgi?id=173105
Given that and the fact that Chrome has the stream functions but not proper CSP support (https://bugs.chromium.org/p/chromium/issues/detail?id=961485), an acceptable alternative for now would be to support `wasm-unsafe-eval` in the `script-src` directive.
Note that Firefox and Edge allow wasm compilation and execution without any change to the CSP whatsoever. That behavior is effectively the same as adding `wasm-unsafe-eval` automatically. We aren't advocating that position either and would prefer to see those browsers disable wasm unless `wasm-unsafe-eval` is present or an acceptable SRI hash or origin is present.
Created attachment 369601 [details]
WASM and CSP test cases
Here is a set of tests and a summary of major browser behavior.
It appears Chrome plans to include support for this in M96: https://groups.google.com/a/chromium.org/g/blink-dev/c/5U_SgZ3r8QI/m/pnOzK2S3BAAJ
wasm CSP is on phase 3 now (as voted on October 26 2021 wasm CG meeting)