6

I am embedding a WebGL game built in Unity on my web app built in Flask. I use a CSP for security purposes on the backend but even after including the wasm-eval directive in my CSP, I continue to get these errors only in Chrome:

UnityLoader.js:4 failed to asynchronously prepare wasm: CompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedder

printErr @ UnityLoader.js:4
UnityLoader.js:4 CompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedder
    at blob:http://localhost:5000/510c750f-1181-4d80-926f-dc71e527c16b:8:31195

Uncaught (in promise) abort({}) at Error
    at jsStackTrace (blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:22295)
    at Object.stackTrace (blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:22466)
    at Object.onAbort (http://localhost:5000/static/desert_run/Build/UnityLoader.js:4:11118)
    at abort (blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:446869)
    at blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:31316

I am not sure what I need to fix, and the unsafe-eval directive for script-src doesn't work either. Here is my CSP and the code I use in _init_.py to implement it on the backend:

from flask import Flask, url_for, current_app
from flask_talisman import Talisman

csp = {
    "default-src": [
        "'self'",
        'https://www.youtube.com',
        'blob:',
        'wasm-eval'
    ],
    'script-src': [ "'self'",
                    'blob:',
                    'wasm-eval',
                    'https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js',
                    'https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js',
                    'https://cdnjs.cloudflare.com/ajax/libs/socket.io/2.2.0/socket.io.js',
                    'https://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js']
}
talisman = Talisman()
app = Flask(__name__)

def create_app():
 talisman.init_app(app)
 talisman.content_security_policy = csp
 talisman.content_security_policy_report_uri = "/csp_error_handling"
 return app
nosh
  • 620
  • 3
  • 14
  • 50
  • 2
    Please post: the URL of your **document**, the URL of your wasm resource, and ideally the response headers as the browsers receives them for both. – Dima Tisnek Jul 14 '20 at 00:57

1 Answers1

3

I was running into a similar issue but was able to fix it by adding 'unsafe-eval' into the script-src list, so you should do the following:

csp = {
    "default-src": [...],
    "script-src": [
        "'self'",
        "blob:",
        "'unsafe-eval'",
        "https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js",
        ...
    ],
}

Here are all directives and values I used to serve a Unity WebGL game from my server:

csp = {
    "default": ["'self'"],
    "img-src": ["'self'"],
    "style-src": ["'self'"],
    "script-src": ["'self'", "blob:", "'unsafe-inline'", "'unsafe-eval'"],
    "worker-src": ["'self'", "blob:"],
}
goto
  • 4,336
  • 15
  • 20