Blocking/allowlisting all JavaScript is the only way [1] to have a CSP fully contain an app (no exfiltration) [2] and with prefetch that might not be enough. The author is correct at the end to suggest using WebAssembly. (Also, it still has the issue of clicking links, which can be limited to certain domains or even data: by wrapping the untrusted code in an iframe and using child-src on the parent of the iframe)

1: https://github.com/w3c/webappsec/issues/656#issuecomment-246...

2: https://www.w3.org/TR/CSP3/#exfiltration

▲

EE84M3i 8 months ago | parent | next [-]

I didn't realize you could use CSP for preventing exhilaration now! How did they close the WebRTC loopholes?

	▲	benatkin 8 months ago \| parent [-]
		They haven't. That in the spec stops short of actually saying that it will stop all exfiltration. What it will do is make it harder because you'd have to put the data in a subdomain or in a username/password. It also could make it hard to deny that an attempt to exfiltrate was deliberate.

▲

kmeisthax 8 months ago | parent | prev [-]

Why would WebAssembly provide more protection against exfiltration than JavaScript in this case?

	▲	benatkin 8 months ago \| parent [-]
		By default WebAssembly doesn't have access to the DOM or JavaScript globals. You have full control of how it can access these things.