Havok Physics load error - unsafe eval in a browser extension, a Content Security Policy constrained environment

HavokPhysics_es.js:9 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'".

    at new Function (<anonymous>)
    at createNamedFunction (HavokPhysics_es.js:9:10533)
    at extendError (HavokPhysics_es.js:9:10725)
    at HavokPhysics_es.js:9:38478
    at main.js:12:25

I’m attempting to use Havok in a browser extension and get the previous error. The loading code is:

import HavakPhysics from './3rd-party/HavokPhysics_es.js'

let havok_reign = await HavakPhysics()

Elsewhere on the internet there are suggestions on how to fix this using “-s NO_DYNAMIC_EXECUTION=1” when building: https://stackoverflow.com/questions/64698248/chrome-extension-refused-to-evaluate-a-string-as-javascript-because-unsafe-eval/64814360

cc @eoin @RaananW

I wouldn’t want to change a default flag without understanding all of the consequences. I understand that you want to use it in an environment that doesn’t support it, but we will first need to evaluate what environments we are breaking with this change.
Reading from the docs, it seems some functions will be throwing exceptions (or warning if the flag is set to 2). Also loadDynamicLibrary is not available, but I am not sure if and where it is used TBH.
I also found this (for example) - Embind is slow without DYNAMIC_EXECUTION · Issue #20673 · emscripten-core/emscripten · GitHub. So there are other side effects we have to understand. Will most certainly wait for @eoin’s feedback here as well.

Slowness was fixed with EMBIND_AOT, apparently. (A fairly recent change.)https://emscripten.org/docs/tools_reference/settings_reference.html#embind-aot

1 Like

This isn’t an environment that we considered running the plugin in, to be honest, so very curious what your use-case is. The toolchain version we’re currently using to build the WASM doesn’t support that AOT option, so would require a bunch of updates and additional testing but I can put an item on our list to investigate this.

2 Likes

“Serverless” shared multiplayer games. “Serverless” is a tiny bit of a misnomer, since you “always” need a (a la RTC) way to make “first contact”, but once the extension is in the browser, no server needed. (At least that’s the current dream.)

That’s my eventual use-case. My current use case is also serverless: I can edit my game and just refresh the extension: no server needed.

I’ve got a work-around using Ammo, but I’d rather use current tech.
If it looks like you’re not going to get to it, and I get annoyed enough, I’ll look at generating a patched version of the loader (by running the loader in a non-restrictive environment and saving the generated functions (which may not work, but that seems like what the AOT option essentially does).

Havok Physics will load in a sandboxed iframe within the extension. I’m convinced that putting both Havok and Babylon in the iframe would work for my use-case, with tight binding between Havok and Babylon, message passing to the more privileged extension and from there to the internet at large.