Why not unsafe-wasm-eval?

[annevk]

It's not clear to me why we'd deviate from the CSP naming precedent.

[titzer]

I don't feel strongly about the naming, other than we might have a compatibility issue with what has already been implemented in Chrome (https://cs.chromium.org/chromium/src/extensions/common/csp_validator.cc?q=wasm-eval&sq=package:chromium&dr=C&l=208).

It might be hair splitting, but JavaScript eval is unsafe for a number of reasons that don't apply to wasm, so naming it "wasm-eval" is a way to just state "just the facts ma'am" and leave out value judgements :-)

[annevk]

It's not a value judgment. It makes it clear to policy authors what the risks are. And the risks are definitely similar, if not the same.

cc @mikewest

[titzer]

@annevk I can see that argument. If there is consensus for unsafe-wasm-eval, then in Chrome we can implement the new directive and keep the old as a deprecated alias for some transition time.