Feature Request / Discussion: Safe WebAssembly (WASM) execution in templates (CSP blocks in 25.09.4+)

Gday,

With the security updates introduced in 25.09.4, strict Content Security Policy (CSP) enforcement now blocks WebAssembly compilation with the following error:

Uncaught RuntimeError: Aborted(CompileError: WebAssembly.instantiate(): Refused to compile or instantiate WebAssembly module because ‘unsafe-eval’ is not an allowed source of script…

My Use Case: I maintain an interactive chess template that utilizes a local Stockfish engine running within a Web Worker. This allows for things like quick analysis and play vs engine cards. There is an asm version of stockfish.js I can use but it is a fair bit weaker so I would like to avoid this if possible.

I get the need for strict security against malicious shared decks, and my use case is pretty niche, but my question is whether some kind of opt-in solution might be possible. Like allowing users to manually opt-in/trust certain decks or something?

It might be possible in the future to enable this safely for all users when we add sandboxing: Migrate the reviewing screen to Svelte and sandbox if possible · Issue #3871 · ankitects/anki · GitHub

For now I recommend writing an add-on to bypass CSP for your deck’s assets. You should be able to do that by patching aqt.mediasrv._handle_local_file_request

Thanks @abdo, I will keep an eye on that issue. I already have a companion addon so I will try your suggestion.