Chrome嵌入程序禁止生成Wasm代码 [英] Wasm code generation disallowed by embedder in Chrome

问题描述

我将在Unity内建的Web应用程序中嵌入了Unity内建的WebGL游戏.我出于安全目的在后端使用了CSP，但是即使在我的CSP中包含了 wasm-eval 指令之后，我仍然仅在Chrome中继续遇到这些错误:

I am embedding a WebGL game built in Unity on my web app built in Flask. I use a CSP for security purposes on the backend but even after including the wasm-eval directive in my CSP, I continue to get these errors only in Chrome:

UnityLoader.js:4 failed to asynchronously prepare wasm: CompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedder

printErr @ UnityLoader.js:4
UnityLoader.js:4 CompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedder
    at blob:http://localhost:5000/510c750f-1181-4d80-926f-dc71e527c16b:8:31195

Uncaught (in promise) abort({}) at Error
    at jsStackTrace (blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:22295)
    at Object.stackTrace (blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:22466)
    at Object.onAbort (http://localhost:5000/static/desert_run/Build/UnityLoader.js:4:11118)
    at abort (blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:446869)
    at blob:http://localhost:5000/cd04e961-d5f5-490c-8869-fbc73dd40aa4:8:31316

我不确定需要修复什么，并且 script-src 的 unsafe-eval 指令也不起作用.这是我的CSP和我在_ init _.py中用于在后端实现它的代码:

I am not sure what I need to fix, and the unsafe-eval directive for script-src doesn't work either. Here is my CSP and the code I use in _init_.py to implement it on the backend:

from flask import Flask, url_for, current_app
from flask_talisman import Talisman

csp = {
    "default-src": [
        "'self'",
        'https://www.youtube.com',
        'blob:',
        'wasm-eval'
    ],
    'script-src': [ "'self'",
                    'blob:',
                    'wasm-eval',
                    'https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js',
                    'https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js',
                    'https://cdnjs.cloudflare.com/ajax/libs/socket.io/2.2.0/socket.io.js',
                    'https://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js']
}
talisman = Talisman()
app = Flask(__name__)

def create_app():
 talisman.init_app(app)
 talisman.content_security_policy = csp
 talisman.content_security_policy_report_uri = "/csp_error_handling"
 return app

推荐答案

我遇到了类似的问题，但是能够通过在 script中添加'unsafe-eval'来解决此问题-src 列表，因此您应该执行以下操作:

I was running into a similar issue but was able to fix it by adding 'unsafe-eval' into the script-src list, so you should do the following:

csp = {
    "default-src": [...],
    "script-src": [
        "'self'",
        "blob:",
        "'unsafe-eval'",
        "https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js",
        ...
    ],
}

这里是我用来从服务器上投放 Unity WebGL 游戏的所有指令和值:

Here are all directives and values I used to serve a Unity WebGL game from my server:

csp = {
    "default": ["'self'"],
    "img-src": ["'self'"],
    "style-src": ["'self'"],
    "script-src": ["'self'", "blob:", "'unsafe-inline'", "'unsafe-eval'"],
    "worker-src": ["'self'", "blob:"],
}

这篇关于Chrome嵌入程序禁止生成Wasm代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！