Only allow WASM execution in results view

extensions/ql-vscode/src/abstract-webview.ts

@@ -24,6 +24,7 @@ export type WebviewPanelConfig = {
   view: WebviewView;
   preserveFocus?: boolean;
   additionalOptions?: WebviewPanelOptions & WebviewOptions;
+  allowWasmEval?: boolean;
 };
 
 export abstract class AbstractWebview<
@@ -116,6 +117,7 @@ export abstract class AbstractWebview<
       config.view,
       {
         allowInlineStyles: true,
+        allowWasmEval: config.allowWasmEval ?? false,
       },
     );
     this.push(

extensions/ql-vscode/src/interface-utils.ts

@@ -129,10 +129,13 @@ export function getHtmlForWebview(
   view: WebviewView,
   {
     allowInlineStyles,
+    allowWasmEval,
   }: {
     allowInlineStyles?: boolean;
+    allowWasmEval?: boolean;
   } = {
     allowInlineStyles: false,
+    allowWasmEval: false,
   },
 ): string {
   const scriptUriOnDisk = Uri.file(ctx.asAbsolutePath("out/webview.js"));
@@ -172,7 +175,9 @@ export function getHtmlForWebview(
 <html>
   <head>
     <meta http-equiv="Content-Security-Policy"
-          content="default-src 'none'; script-src 'nonce-${nonce}' 'wasm-unsafe-eval'; font-src ${fontSrc}; style-src ${styleSrc}; connect-src ${
+          content="default-src 'none'; script-src 'nonce-${nonce}'${
+    allowWasmEval ? " 'wasm-unsafe-eval'" : ""
+  }; font-src ${fontSrc}; style-src ${styleSrc}; connect-src ${
     webview.cspSource
   };">
         ${stylesheetsHtmlLines.join(`    ${EOL}`)}

extensions/ql-vscode/src/interface.ts

@@ -221,6 +221,8 @@ export class ResultsView extends AbstractWebview<
       viewColumn: this.chooseColumnForWebview(),
       preserveFocus: true,
       view: "results",
+      // Required for the graph viewer which is using d3-graphviz WASM module
+      allowWasmEval: true,
     };
   }