The Content-Security-Policy (CSP) HTTP header emited by a web server may affect clients' ability to download or run JavaScript and WASM code. This capability is an HTTP-based restriction over which the SQLite library has no control, but it may affect clients of the library so we document it in the hopes of assisting users who are having CSP-related problems loading or running SQLite.
This page essentially summarizes a discussion in the SQLite forum. See that forum post for more on the topic.
The summary of that discussion is that sites serving the SQLite WASM/JavaScript code need to do one of the following with regards to emitting a CSP header for the file(s) which load WASM content:
- Do not emit a CSP, in which case the browser's default is lenient enough to permit downloading and execution of WASM.
- Emit:
script-src 'wasm-unsafe-eval'
(along with any other requiredscript-src
directives) for any JS files which load WASM.
Where and how to configure the CSP is different for each web server and is out of scope here. Please consult the documentation for your server software and/or the server's administrators.