Has anybody figured out how to use wasm with content security protocol (CSP)?

[amir20]

I have

default-src 'self'; style-src 'self' 'unsafe-inline';img-src 'self' data:; script-src 'self' 'wasm-unsafe-eval'; connect-src: 'self' https://extensions.duckdb.org; as my CSP and I still see an error like:

NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://extensions.duckdb.org/duckdb-wasm/v0.9.2/wasm_eh/json.duckdb_extension.wasm'.

If I remove the CSP headers it works fine. I am not sure what else to try. Seems like it should work given the connect-src.

[carlopi]

This sounds it might be possibly something wrong on how we deploy extensions, unsure.

I would try host an extension in say, GitHub pages, that have a standard trust and tried setup, and then see whether you can do:

LOAD 'https://something.github.io/xxxxxx/yyyy.duckdb_extension.wasm'

and see whether that works.

[amir20]

Thanks @carlopi.

I think I see what you mean now. I was confused because I am using the vite configuration. I would expect everything to be self contained. But it seems like the json plugin is still hosted remotely.

I was finally able to get it to work with:

default-src 'self'; style-src 'self' 'unsafe-inline';connect-src 'self' https://*.duckdb.org;img-src 'self' data:; script-src 'self' 'wasm-unsafe-eval';

However, I think this defeats the purpose of using vite because it still loads external plugins.

So I'll try to use the CDN option to see if that works better.

I would consider this a bug since personally I wouldn't expect a wasm to load another plugin hosted some where else.