My hopes for Bug 173105 were high, but sadly the only way to permit WASM in a CSP is still with either `unsafe-eval` or `wasm-unsafe-eval` (added with Bug 235408). That means that the strictest a developer can get with the CSP is to say that either all WASM or no WASM can be run. As with JavaScript, though, we (1Password) would like to limit what WASM can be run on our domain, either by request origin (for WASM streaming APIs) or by SRI hash (streaming or not). The original proposal for this can be found here: https://github.com/WebAssembly/content-security-policy/blob/57b7b528bb5723b37e50497348e0432a7ad65c70/proposals/CSP.md#proposed-origin-bound-permission Unfortunately, the current version of the proposal has backtracked to remove the parts about binding to the request origin or SRI hash, replacing them with a commentary on the suitability of "script-src": https://github.com/WebAssembly/content-security-policy/blob/dd75e5ba3d31aa50cda1216e7ae15170c72ce7c7/proposals/CSP.md#using-existing-csp-script-src-policies I see the value in using a new directive like "wasm-src" instead of "script-src", but that doesn't change the need for _some_ way to bind to an origin or hash. This issue is the WebKit counterpart to https://bugs.chromium.org/p/chromium/issues/detail?id=961485.
This is a reasonable request, but ideally the standard changes first. From a quick search through https://github.com/w3c/webappsec-csp/issues it appears this isn't being discussed. I recommend starting a discussion there.
<rdar://problem/109902189>