UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce the problem:
1. unpack the attached archive and start server (npm start) - requires node and web access (qunit from CDN)
2. open http://localhost:8000 in Chrome, it is a QUnit test page
3. the failing tests show unexpected CSP reports (events) for WebAssembly code 

What is the expected behavior?
When 'unsafe-eval' is given as an allowed script-src in the CSP, this should cover WebAssembly APIs. Alternatively, some of the log messages of Chrome suggest that 'wasm-eval' should allow the same without allowing 'eval' in general. 

What went wrong?
Despite 'unsafe-eval' is given in a CSP, Chrome reports a violation (in the console, as event and to a configured endpoint).

When 'wasm-eval' is given, Chrome even complains about an invalid source, although it mentions that source itself in the console (see attached screenshot).

Chrome Canary (73.0.3642.0, 64-Bit, macOS) showed the same result for me.

Did this work before? No 

Does this work in other browsers? N/A

Chrome version: 71.0.3578.98  Channel: stable
OS Version: OS X 10.14.1
Flash Version: 

IMO this is not a security issue as the WASM code is never executed when it shouldn't. Just the reporting is broken. As we use the reporting for quality measures, this is nevertheless an issue for us.

Reg. the template question whether this works in other browsers: no, but for different reasons. Most seem not to implement CSP for WebAssembly yet, but I didn't check it in detail, only ran the attached tests against Safari and Firefox (on Mac).
 

Deleted: chromium-bug-wasm-csp.zip 7.7 KB

chromium-bug-wasm-csp.zip 7.7 KB Download

Deleted: Funny Console Message.png 47.9 KB

	Funny Console Message.png 47.9 KB View Download