[v3] WASM Sqlite not working with CSP

[dvanmali]

Environment

• Operating System: Darwin
• Node Version: v22.13.0
• Nuxt Version: 3.15.2
• CLI Version: 3.20.0
• Nitro Version: 2.10.4
• Package Manager: [email protected]
• Runtime Modules: @nuxt/[email protected], [email protected], [email protected]

Reproduction

Add nuxt-security or a CSP with their default settings, specifically: script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-{{nonce}}'.
On initial load, the page loads correctly, however when switching pages using NuxtLink, the page does not populate and the following error shows as the code tries to use sqlite locally via WASM.

Describe the bug

In the console the following error is generated:

sqlite3-bundler-friendly.mjs:13940 Exception loading sqlite3 module: RuntimeError: Aborted(CompileError: WebAssembly.instantiate(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-xxxx'").

Additional Notes

When adding 'wasm-unsafe-eval' or 'unsafe-eval' to the CSP, the page does populate however this is not good practice to have in production.

[jlemonz]

yes same issue

[farnabaz]

I see your point here When you use CSP, WASM binary init functions cannot be executed and like you mentioned the solution is to enable wasm-unsafe-eval.

We should update documentation and mention CPS and integration with nuxt-security module.

---

I'm not a security expert but, wasm-unsafe-eval is not as harmful as unsafe-eval. Javascript eval is unsafe for a couple of reasons which do not apply to WASM and the name is mostly chosen for compatibility.

As noted above, WebAssembly functions are only able to access objects reachable from the import object. The instance does not have unrestricted access to the JavaScript global object.
https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md