Description

When I load a json from a remote host served with strict Content Security Policy (CSP) rules, the JQ filter bar is not showing.
Example: https://api.github.com/users/paolosimone/repos

Details

This happens because JQ filtering relies on WebAssembly, but WASM execution is enabled only if CSP allows the execution of unsafe code ('script-src': 'unsafe-eval')... even if the wasm file is the one bundled with the extension package!

Error: Wasm code generation disallowed by embedder

References:

• WebAssembly CSP proposal
• Tracking issue for adding WebAssembly CSP support

Why not Sandbox?

The recommended approach is to run wasm code in a sandbox and send/receive data through message passing. This solution introduces an additional overhead due to serialization/deserialization of the message content (in our case, the JSON itself).

How much overhead? Will it continue to work smoothly with ~10MB json?

Don't know, I guess we could give it a try (at least as a fallback strategy) before jumping to conclusion.

But I want to use the interactive JQ feature now

I feel you. In the meantime you could download the json (floppy disk icon) and load the file in the browser.

guess we'll deal with it 🤷