Bug 1770468 - Report-only wasm-unsafe-eval in MV2 r=mixedpuppy,freddyb,ckerschb

For backcompat, do not enforce wasm-unsafe-eval even if the extension
has specified a custom CSP. Do report the errors though, to allow
extension authors to discover the issue and fix it.

Differential Revision: https://phabricator.services.mozilla.com/D147105

caps/nsScriptSecurityManager.cpp

@@ -515,6 +515,17 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
     if (NS_FAILED(csp->GetAllowsWasmEval(&reportViolation, &evalOK))) {
       return false;
     }
+    if (!evalOK) {
+      // Historically, CSP did not block WebAssembly in Firefox, and some
+      // add-ons use wasm and a stricter CSP. To avoid breaking them, ignore
+      // 'wasm-unsafe-eval' violations for MV2 extensions.
+      // TODO bug 1770909: remove this exception.
+      auto* addonPolicy = BasePrincipal::Cast(subjectPrincipal)->AddonPolicy();
+      if (addonPolicy && addonPolicy->ManifestVersion() == 2) {
+        reportViolation = true;
+        evalOK = true;
+      }
+    }
   }
 
   if (reportViolation) {