Comments (7)
Agreed that it isn't great. There is some chatter around adding a wasm-src CSP and verifying these files, so I'll check on the status of that in the future. I'll also add a note to the documentation.
from pagefind.
Oops. So it looks like this fetch is failing on line 55: search.js > loadWasm
Unfortunately there's a bug in the catch on line 61 trying to log url
which is suppressing the actual error đ¤Ļ
I'll fix up that log locally and then see if I can reproduce the CSP error. I don't see why a connect-src 'self'
would block a fetch("/_pagefind/wasm.pagefind")
request â my suspicions would be it doesn't like the fetch occurring inside an ES6 module, or it doesn't like the fetch of a file without any sane content type đ¤
Keen to hear if you have any ideas on where to look, otherwise I'll keep you posted on what I dig up đ
Cheers!
from pagefind.
I don't think the call is blocked by the CSP as that would give a clear error message, but some context/meta-data might not be provided with this CSP enabled, causing the script to fail.
Sorry, I haven't looked at it in detail yet.
from pagefind.
Ah, I see where our issue lays. If I suppress that url
error, I get:
CompileError: call to WebAssembly.instantiate() blocked by CSP
Unfortunately (I'm just now learning that) wasm broadly currently gets classified under unsafe-eval
.
In the past the only path to get that working has been to allow script-src 'unsafe-eval'
in your CSP. There is however a proposal to add a wasm-specific CSP to browsers, which adds a specific script src wasm-unsafe-eval
. It's hard to tell how broadly this is supported, but looking at Chrome it appears this has shipped, and testing it in Firefox myself it does work.
So adding script-src 'wasm-unsafe-eval'
to your CSP should allow wasm to execute without adding extra permissions to your js.
from pagefind.
Bad news â my test site doesn't work in Safari without script-src 'unsafe-eval'
from pagefind.
Setting script-src 'wasm-unsafe-eval'
looks to 'solve' the problem for Chrome, Edge and Firefox on both desktop and mobile. It would be great if we don't have to allow any unsafe
policies however, unfortunately this does currently seem to be a requirement for WebAssembly.
from pagefind.
I have covered this point in the documentation alongside the latest release, so I'll close this issue for now and keep an eye on CSP/WASM goings on.
from pagefind.
Related Issues (20)
- Dark mode in default pagefind-modular-ui.css HOT 6
- H1 elements not being indexed HOT 2
- [Feature request] Score exact name of page highly HOT 1
- The path to the image is not found
- Special characters (p.e. Umlauts) in page's file names are not escaped, causing not working links HOT 2
- CSS Validation Parse Error: .pagefind-ui__button.svelte-193m69l | Value Error : color ----pagefind-ui-primary HOT 1
- Runtime error "unreachable executed" when search term contains emoticon HOT 1
- Support of specific "target" for <a> links by default UI to open result documents in different frame HOT 2
- ModularUI results do not update on scroll HOT 4
- Sort ModularUI FilterPills HOT 2
- Difference in the results by including `a` in the middle. HOT 4
- Problem with domains and subdomains HOT 4
- Error in documentation for the bundle path option
- Consider exposing the types on the Pagefind client
- feature request: Python wrapper package, Python API HOT 6
- Allow to specify the path of the config file HOT 1
- Allow to override default weight of HTML elements in config
- Add UI search event hooks HOT 1
- Pagefind 1.1.0 output is not stable HOT 1
- Speical Symbols
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pagefind.