HTTP Content-Security-Policy (CSP)

The Content-Security-Policy (CSP) HTTP header emited by a web server may affect clients' ability to download or run JavaScript and WASM code. This capability is an HTTP-based restriction over which the SQLite library has no control, but it may affect clients of the library so we document it in the hopes of assisting users who are having CSP-related problems loading or running SQLite.

This page essentially summarizes a discussion in the SQLite forum. See that forum post for more on the topic.

The summary of that discussion is that sites serving the SQLite WASM/JavaScript code need to do one of the following with regards to emitting a CSP header for the file(s) which load WASM content:

Do not emit a CSP, in which case the browser's default is lenient enough to permit downloading and execution of WASM.
Emit:
script-src 'wasm-unsafe-eval'
(along with any other required script-src directives) for any JS files which load WASM.

Where and how to configure the CSP is different for each web server and is out of scope here. Please consult the documentation for your server software and/or the server's administrators.

The SQLite JavaScript code, in addition to loading sqlite3.wasm, has to create and compile a small amount of WASM binary code in order to bind some of its JS-side functions to C counterparts in the C library (i.e. the main WASM module). Similarly, binding client-side user-defined SQL functions, custom collations, authorizers, and similar hooks to the C library requires the same treatment. Thus using this library requires that the client's environment (e.g. browser) permit compilation of WASM code.