CSP unsafe-eval for ghc_jsffi

[alebon]

I was playing around with the examples because I was interested in replacing some of my chrome extensions with one of the Haskell frameworks (Miso or Reflex).
But with both, I ran into the problem that the generated post link JS contains eval and new Function as soon as one of the Frameworks is used via JSFFI.
Unfortunately this requires unsafe-eval, which is not allowed for chrome extensions.

Is there a way to work around this?

(I tested as well Rust (leptos) apps with the wasm file, which works just fine)

[amesgen]

Ah, interesting use case! Yes, this should be possible (still needing 'wasm-unsafe-eval' of course): Currently, both jsaddle-wasm as well as miso use eval, but this is just for convenience to easily load some JS helpers.

I hacked something together (by creating appropriate Wasm JSFFI imports via TemplateHaskell), will push some time tomorrow 👍

[alebon]

Hey @amesgen, just checking in – super excited about what you mentioned! No pressure at all. Just wanted to ask if you had a chance to push your changes yet – would love to try it out in my extension setup.

Thanks again for looking into this!

[amesgen]

Hey, now came around pushing this, see the linked PRs. You can add the following s-r-ps to cabal.project, and then, unsafe-eval should no longer be required for running the examples in this repo:

  source-repository-package
    type: git
    location: https://github.com/amesgen/jsaddle-wasm
    tag: 513a1af926a4b6b9145b5cac0f5aee8f042cd9ea

  source-repository-package
    type: git
    location: https://github.com/amesgen/miso
    tag: 9c8630f4bf1a0c85a8508c1026f7d61f95bc2f01

If you want to use Miso from master instead of the latest released version, you can use a commit from dmjio/miso#998.

---

For reflex-frp, this should also work in theory. When adding the jsaddle-wasm s-r-p to https://github.com/tweag/ghc-wasm-reflex-examples/, the example mostly works for me, but it seems that some UI features somehow transitively still invoke eval; would need to take a closer look there (probably mostly grepping for eval).

---

If this works for you, then I will publish at least jsaddle-wasm with the fix, so that s-r-p will go away again. EDIT: see #33 (comment)

[alebon]

Without the index-state update, I am missing the parser-regex dependency. Updating index-state to 2025-06-09T18:18:27Z gives me this:

[1 of 4] Compiling Language.Javascript.JSaddle.Wasm.Internal.TH ( src-wasm/Language/Javascript/JSaddle/Wasm/Internal/TH.hs, dist/build/Language/Javascript/JSaddle/Wasm/Internal/TH.o, dist/build/Language/Javascript/JSaddle/Wasm/Internal/TH.dyn_o )
[2 of 4] Compiling Language.Javascript.JSaddle.Wasm.Internal ( src-wasm/Language/Javascript/JSaddle/Wasm/Internal.hs, dist/build/Language/Javascript/JSaddle/Wasm/Internal.o, dist/build/Language/Javascript/JSaddle/Wasm/Internal.dyn_o )
/tmp/ghc197945_tmp_0_0/ghc_tmp_1_3.c:96:155: error:
     error: unknown type name 'HsFUN'
       96 | HsJSVal ZC7ZCjsaddlezmwasmzm0zi1zi1zi0zmf913737c8cba9f2b5f0f5070b694cd586b9a900dc98bc80a2c492c67c2e3c6f4ZCLanguageziJavascriptziJSaddleziWasmziInternalZC(HsFUN a1);
          |                                                                                                                                                           ^
   |
96 | HsJSVal ZC7ZCjsaddlezmwasmzm0zi1zi1zi0zmf913737c8cba9f2b5f0f5070b694cd586b9a900dc98bc80a2c492c67c2e3c6f4ZCLanguageziJavascriptziJSaddleziWasmziInternalZC(HsFUN a1);
   |                                                                                                                                                           ^

/tmp/ghc197945_tmp_0_0/ghc_tmp_1_3.c:98:184: error:
     error: call to undeclared function 'rts_getFUN'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
       98 | {return rts_mkJSVal(&MainCapability, ZC7ZCjsaddlezmwasmzm0zi1zi1zi0zmf913737c8cba9f2b5f0f5070b694cd586b9a900dc98bc80a2c492c67c2e3c6f4ZCLanguageziJavascriptziJSaddleziWasmziInternalZC(rts_getFUN(a1)));}
          |                                                                                                                                                                                        ^
   |
98 | {return rts_mkJSVal(&MainCapability, ZC7ZCjsaddlezmwasmzm0zi1zi1zi0zmf913737c8cba9f2b5f0f5070b694cd586b9a900dc98bc80a2c492c67c2e3c6f4ZCLanguageziJavascriptziJSaddleziWasmziInternalZC(rts_getFUN(a1)));}
   |                                                                                                                                                                                        ^

2 errors generated.
<no location info>: error:
    `wasm32-wasi-clang' failed in phase `C Compiler'. (Exit code: 1)

[4 of 4] Compiling Language.Javascript.JSaddle.Wasm.TH ( src/Language/Javascript/JSaddle/Wasm/TH.hs, dist/build/Language/Javascript/JSaddle/Wasm/TH.o, dist/build/Language/Javascript/JSaddle/Wasm/TH.dyn_o )
Error: [Cabal-7125]
Failed to build jsaddle-wasm-0.1.1.0 (which is required by exe:app from extension-app-1.0.0). See the build log above for details.```

[amesgen]

Which wasm32-wasi-ghc are you on? 9.12.2.20250327 should work.

[alebon]

I am using the 9.12 flavor from ghc-wasm-meta which results in 9.12.1.20250206 on my linux machine.
Not sure how I could have something more up to date.

[amesgen]

Hmm, can you try to re-install GHC 9.12 via ghc-wasm-meta?

[alebon]

Yeah, my bad, sorry for this. Forgot the nix flake update part.

WASM Extension app loads and works without errors! Super cool! Thanks a lot! Let's see if it gets accepted.

On Reflex FRP wasm, I have noticed one eval call still present in this part:

case "EvaluateScript":
  var n = d.contents[1];
  jsaddle_values.set(n, eval(d.contents[0]));
  break;

[amesgen]

On Reflex FRP wasm, I have noticed one eval call still present in this part:

case "EvaluateScript":
  var n = d.contents[1];
  jsaddle_values.set(n, eval(d.contents[0]));
  break;

Yes, this is what is backing the JSaddle eval, which would need to be patched where it is (transitively) used in Reflex (this is what the Miso PR dmjio/miso#998 does).

[amesgen]

I uploaded jsaddle-wasm 0.1.2.0 with (a variant of) the fix, so that s-r-p can be removed. The corresponding miso s-r-p to use is

source-repository-package
  type: git
  location: https://github.com/amesgen/miso
  tag: de757b35a5e600aefa2719f9a3fa377df0305a26

[alebon]

So, yeah, it is basically possible to write extensions for chrome and firefox.
This is my toy project, passed review, etc. https://addons.mozilla.org/de/firefox/addon/calculator-neo

As I already mentioned, it's written in Reflex (taken from the GHC Wasm Reflex FRP example).
Basic features work (as long as eval is not used. Dynamic widget result in eval usage)

Do you see any chance to look into the Reflex Dom Code to get rid of the eval calls (maybe with a bounty)? I tried myself, but I a have no experience in TH / Wasm / GHC code. I guess there are three eval places to be fixed.
https://github.com/reflex-frp/reflex-dom/blob/2baa713dfc2e247d1f93380fcab443d9255f2bcb/reflex-dom-core/src/Reflex/Dom/Builder/Immediate.hs#L527