ReferenceError: url is not defined with Content-Security-Policy enabled about pagefind HOT 7 CLOSED

Agreed that it isn't great. There is some chatter around adding a wasm-src CSP and verifying these files, so I'll check on the status of that in the future. I'll also add a note to the documentation.

from pagefind.

Oops. So it looks like this fetch is failing on line 55: search.js > loadWasm

Unfortunately there's a bug in the catch on line 61 trying to log url which is suppressing the actual error 🤦

I'll fix up that log locally and then see if I can reproduce the CSP error. I don't see why a connect-src 'self' would block a fetch("/_pagefind/wasm.pagefind") request — my suspicions would be it doesn't like the fetch occurring inside an ES6 module, or it doesn't like the fetch of a file without any sane content type 🤔

Keen to hear if you have any ideas on where to look, otherwise I'll keep you posted on what I dig up 🙂

Cheers!

from pagefind.

I don't think the call is blocked by the CSP as that would give a clear error message, but some context/meta-data might not be provided with this CSP enabled, causing the script to fail.

Sorry, I haven't looked at it in detail yet.

from pagefind.

Ah, I see where our issue lays. If I suppress that url error, I get:

CompileError: call to WebAssembly.instantiate() blocked by CSP

Unfortunately (I'm just now learning that) wasm broadly currently gets classified under unsafe-eval.

In the past the only path to get that working has been to allow script-src 'unsafe-eval' in your CSP. There is however a proposal to add a wasm-specific CSP to browsers, which adds a specific script src wasm-unsafe-eval. It's hard to tell how broadly this is supported, but looking at Chrome it appears this has shipped, and testing it in Firefox myself it does work.

So adding script-src 'wasm-unsafe-eval' to your CSP should allow wasm to execute without adding extra permissions to your js.

from pagefind.

Bad news — my test site doesn't work in Safari without script-src 'unsafe-eval' ☹️ Looks like wasm-unsafe-eval is on the way for Webkit but isn't stable yet.

from pagefind.

Setting script-src 'wasm-unsafe-eval' looks to 'solve' the problem for Chrome, Edge and Firefox on both desktop and mobile. It would be great if we don't have to allow any unsafe policies however, unfortunately this does currently seem to be a requirement for WebAssembly.

from pagefind.

I have covered this point in the documentation alongside the latest release, so I'll close this issue for now and keep an eye on CSP/WASM goings on.

from pagefind.