WASM compilation is disabled by default in Chromium extensions

[mossroy]

The decompressor API is red and its status is "Error loading ZSTD decompressor!".
In the browser console :

Could not instantiate any ZSTD decoder! RuntimeError: abort(CompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedder). Build with -s ASSERTIONS=1 for more info.
at A (zstddec-wasm.js:15)
at zstddec-wasm.js:18

And nothing works afterwards.

It comes from a CSP applied on Chromium extensions (not on Firefox extensions), for security reasons.
It can be overridden by adding a line in manifest.json, see https://stackoverflow.com/questions/48523118/wasm-module-compile-error-in-chrome-extension . It seems to work with both unsafe-eval or wasm-eval, and does not seem to annoy Firefox.

Is it risky to do that?
Should we use unsafe-eval (that probably works with all versions of Chromium, but opens more security risks) or wasm-eval (that opens less security risks, but might not work with all versions of Chromium)?

[mossroy]

Maybe we could use wasm-eval and trap this exception (that could occur is wasm-eval is unsupported), and fallback to ASM in this case?

[mossroy]

The CSP has been added at the beginning of 2017 : https://codereview.chromium.org/2646713002/
And wasm-eval has been implemented at the end of 2017 : https://bugs.chromium.org/p/v8/issues/detail?id=7041

[mossroy]

Good catch. IMHO it's safe to add unsafe-eval because we only execute offline code. We also have a separate CSP for the iframe, which is where ZIM content is executed.

Originally posted by @Jaifroid in #722 (comment)

I did not find the iframe CSP in kiwix-js. There is one in kiwix-js-windows : https://github.com/kiwix/kiwix-js-windows/blob/56160448e04484525d5692471ed9a9c47d370192/www/js/app.js#L3669 (only for jQuery mode?), and we discussed about another one in #404 (but it's not implemented yet and was not trivial)

Our browser extension does not ask for any permission in its manifest. So, even if a ZIM file tries to bad things (or if it has been compromised), kiwix-js can not harm the rest of the browser sensitive information (other tabs, storage, etc).

So, in the short term, I suggest to add the unsafe-eval CSP in the manifest, to be sure we introduce no regression.

In the mid-term, we could :

• use wasm-eval instead of unsafe-eval (to allow only what is necessary), and trap the exception (that could occur if wasm-eval is unsupported : chromium-based browsers around 2017), and automatically fallback to ASM in this case : Allow wasm-eval instead of unsafe-eval in the browser extension manifest #752
• try to enforce the fact that we only can execute code coming from the ZIM file and/or that the executed code is restricted to the iframe. Maybe using the sandbox attribute : Restrict what an iframe can do, for security reasons #753