RESOLVED FIXED290153
wasm-unsafe-eval not working for Safari Web Extension (worked previously) 
https://bugs.webkit.org/show_bug.cgi?id=290153
Summary wasm-unsafe-eval not working for Safari Web Extension (worked previously)
kusaiya
Reported 2025-03-20 20:26:14 PDT
When my extension loads I get this: [Error] wasm streaming compile failed: CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". That error seems wrong as I see 'wasm-unsafe-eval' in the: Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'" So is it not parsing the string correctly? Details on how my extension works: The extension has an iframe, and it's src is set to iframe.src = './index.html'; the index.html loads a js file <script src='main.dart.js'></script> That js file is a compiled Flutter web project. This did work at some point, I'm thinking an update to Safari broke it. The Flutter web project isn't compiled as wasm, but it seems that even Flutter non wasm builds require this 'wasm-unsafe-eval' to run, so removing it doesn't work either The extension works fine in FireFox and Chrome, and did work in and older version of Safari. Any tips or help? I'm stuck. Thanks, ``` "content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';" }, ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-03-20 20:30:49 PDT
<rdar://problem/147551225>
kusaiya
Comment 2 2025-03-20 23:32:24 PDT
I'm remembering now how it worked before. Flutter use to have an 'html' renderer, but now that is deprecated and doesn't exist, so the new renderer even if not compiled as wasm, runs a bit of wasm to test which renderer to use AFAIK. So currently it's impossible for anyone to write a Safari Web Extension with Flutter. Please fix this as I have a product on the app store and it's broken and I can't update it since I can't go back to an old version of Flutter since my code is updated for Chrome/Firefox and I can't revert to older Flutter. Emergency, I need a fix.
kusaiya
Comment 3 2025-03-20 23:46:37 PDT
One interesting behavior that I noticed is that my extension puts the code in an iframe and the src is a local file but if I have the same code and src is set to http://localhost:8754 it loads fine so is there a way to get that same behavior using a local file? Why would using a url work and a local file fail? They should be the same right?
kusaiya
Comment 4 2025-03-21 00:12:17 PDT
also seeing this bug which needs to be fixed: [Error] wasm streaming compile failed: TypeError: Unexpected response MIME type. Expected 'application/wasm' (anonymous function) (canvaskit.js:92:233)
Kiara Rose
Comment 5 2025-04-17 09:00:50 PDT
Safari recently switched over to using WebKit's CSP parser. this code was written before we had support for `wasm-unsafe-eval` for extensions. the fix here is to remove the restriction not allowing this keyword.
Kiara Rose
Comment 6 2025-04-17 13:38:40 PDT
Although, I haven't been able to reproduce a case where the Web Assembly code doesn't compile in an extension page, even if `wasm-unsafe-eval` is not specified in the CSP. This is a bug which I will file a separate issue for.
Kiara Rose
Comment 7 2025-04-17 13:39:35 PDT
(In reply to kusaiya from comment #4) > also seeing this bug which needs to be fixed: > > [Error] wasm streaming compile failed: TypeError: Unexpected response MIME > type. Expected 'application/wasm' > (anonymous function) (canvaskit.js:92:233) Do you have a sample project you can attach? I haven't been able to reproduce a case in which the web assembly code doesn't compile in an extension page.
Kiara Rose
Comment 8 2025-04-17 16:00:49 PDT
Pull request: https://github.com/WebKit/WebKit/pull/44232
EWS
Comment 9 2025-04-18 09:20:43 PDT
Committed 293854@main (f2f4f6420f21): <https://commits.webkit.org/293854@main> Reviewed commits have been landed. Closing PR #44232 and removing active labels.
kusaiya
Comment 10 2025-04-23 17:47:05 PDT
> [Error] wasm streaming compile failed: TypeError: Unexpected response MIME > type. Expected 'application/wasm' > (anonymous function) (canvaskit.js:92:233) This was reported months ago. Search the bugs. I don't remember the details. It just failed to work. Thanks for fixing the other bug.
Note You need to log in before you can comment on or make changes to this bug.