I’m starting to build a frontend for a website that will use FMOD for audio.
For security purposes (and it looks like it is widely considered as a security best practice), I have turned off ‘unsafe-eval’ for all browser scripts.
But now the browser throws an error when calling FMODModule due to a function in fmod_reduced.js called createNamedFunction that is running some dynamic JS. (I’m currently using the wasm version)
After looking around for answers I found that you can turn off the generation of unsafe-eval-related JS in emcc by passing -s NO_DYNAMIC_EXECUTION=1, but according to this issue, it looks like later versions of Emscripten actually have removed use of eval.
Would it be a possibility to make this change in your HTML5 distribution?
In the meantime, I’m going to see if linking the static library with that flag could work.
After some searching I found this MDN article that mentions that in order to use WebAssembly with a CSP header at all, you need to enable script-src 'wasm-unsafe-eval'.
After running the code with this header change, both Chrome and Safari threw an error mentioning that it could not load a blob from blob:http://localhost:<port><filename>. (I’m not sure if this is the .wasm file paired with the .js or not, because the filename was a GUID-like string of hex characters and dashes)
Anyway, setting the policy to script-src 'self' 'wasm-unsafe-eval' blob: it works now in both Chrome & Safari. (It also works with the pre-built fmod js)
