CSP Support for ESM Integration

[guybedford]

Somewhat related to #41, it's worth thinking about what CSP policies will apply to the ESM integration when importing Wasm.

Currently the Wasm CSP spec defines wasm-unsafe-eval to be required for all JS API usages.

Would the ESM integration form an exception here when importing Wasm in that it maintains full control of the script src? Or would it simply adopt this same policy?

[fgmccabe]

I don't have a well formed opinion on this at the moment.

[annevk]

As script fetching is currently setup it would indeed use script-src. I filed whatwg/html#7233 to see if that's how it should be.

[guybedford]

whatwg/html#7233 has since been resolved and CSP integration has since landed for the Wasm ESM Integration in HTML as sharing the script-src policy with JavaScript, while still allowing more fine-grained script-src policies for Wasm specifically in addition in future.