CG-08-12.md

October 1, 2025 · View on GitHub

WebAssembly logo

Agenda for the August 12 video call of WebAssembly's Community Group

  • Where: Virtual meeting
  • When: August 12, 16:00-17:00 UTC (9am-10am PDT, 18:00-19:00 CEST)
  • Location: link on W3C calendar or Google Calendar invitation

Registration

No registration is required for VC meetings. The meeting is open to CG members only.

Agenda items

  1. Opening
  2. Proposals and discussions
    1. Update on WebAssembly's part of CSP (Francis McCabe) (Potential vote for phase 4.)
  3. Closure

Agenda items for future meetings

None

Meeting Notes

Attendees

  • Conrad Watt
  • Derek Schuff
  • Adam Bratschi-Kaye
  • Alex Crichton
  • Andrea
  • Andrew Brown
  • Bailey Hayes
  • Ben Visness
  • Brendan Dahl
  • Chris Fallin
  • Colin Murphy
  • Dan Gohman
  • Daniel Lehmann
  • Deepti Gandluri
  • Emanuel Ziegler
  • Erik Rose
  • Francis McCabe
  • Jeff Charles
  • Johnnie Birch
  • Julien Pages
  • Keith Winstein
  • Marcus Plutowski
  • Nick
  • Nuno Pereira
  • Michael Ficarra
  • Paul Osborne
  • Yijia Huang
  • Yuri Iozzelli
  • Yurk Delendik
  • Jakob Kummerow
  • Ricky Vetter
  • Ryan Hunt
  • Thomas Lively
  • Victor Lu

Proposals and discussions

  1. Update on WebAssembly's part of CSP (Francis McCabe)

FM presenting Slides

CW: you mentioned the web API tests: given that this isn’t core language, are there any other tests we want updated to reflect this?

FM: I believe the tests are in the right place.

CW: we have what we need in other standards orgs too?

FM: yes.

KW (chat): Non-critical question: Do we think there will eventually be a followup proposal with a Wasm analog to script-src (which I know was debated years ago and abandoned in the MVP), or is this basically not going to happen at this point? (https://github.com/WebAssembly/content-security-policy/blob/e3977ba46d540c5ae6e628626e70c8d95ce93f9a/proposals/CSP.md#using-existing-csp-script-src-policies)

FM: this was discussed a while ago. I don’t rule it out but there seemed to be a lack of enthusiasm for this in the WebAppSec group. They seemed to want their own policy type as wasm. I’m not really against it but the community said that script-src was meant for executable code, and wasm is executable code. Script-src isn’t specific to JS. So I guess it could happen but doesn’t seem likely.

FM: so let’s have a vote for phase 4 at this point

POLL: WebAssembly CSP to phase 4 SF: 2 F: 24 N: 3 A: 0 SA: 0

POLL PASSES

Closure