Wasm module compile error in Chrome Extension

It seems from this issue that Chrome requires script-src: 'unsafe-eval' CSP directive be active for WebAssembly compilation. See this discussion as to why this is the case, at least for now.

Chrome Extensions come with default restrictions on CSP; that includes not allowing unsafe-eval. Some of the restrictions cannot be lifted; in this case, you can allow unsafe-eval by adding a manifest key:

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

This should be enough to test if Wasm works in extensions. But heed this warning from documentation:

However, we strongly recommend against doing this. These functions are notorious XSS attack vectors.

Instead of allowing unsafe-eval for your whole extension, you can sandbox code that requires it, using the following approach from the docs:

Using eval in Chrome Extensions. Safely.

The gist of it is to create a separate page in your extension, where unsafe-eval is allowed but Chrome API access is disallowed; you then embed this page in your extension and communicate with it using postMessage().


Chrome implemented special policy 'wasm-eval' exclusively for apps and extensions to resolve this problem. It is chrome-specific, but slowly moving into CSP and WebAssembly standards. Just replace 'unsafe-eval' with 'wasm-eval' in @Xan's solution.

Note though, this is still an attack vector and it's your responsibility to verify the source of executed assembly. See for example uBlock's author thoughts on this policy.