Hi, when setting up a local self-hosted copy I noticed issues with the CSP headers. The browser dev-tools is blocking some javascript because I do not use unsafe-eval as script-src.
Some unsecure javascript is blocking zlib-1.2.11.js from loading
Firefox:

Opera:

Edge:

Server address:
N/A
Server OS:
Gentoo Linux 5.11.6
Webserver:
Apache 2.4.46
Browser:
Opera and FireFox
PrivateBin version:
I can reproduce this issue on https://privatebin.net: Yes
I saw in the code that zlib is only needed if I wanted compressed pastes. I don't because I use compressed filesystem and brotli/deflate output from apache. Is there a way to prevent the zlib.js/wasm files from being loaded from the webserver at all?
unsafe-eval is used for more then just wasm support, but also in the browser capability detection:
https://github.com/PrivateBin/PrivateBin/blob/5a9bcea3a919af84e275dc77c80ea270272a4663/cfg/conf.sample.php#L86-L90
You can disable compressed pastes using a configuration option, but note three things:
Thanks for the detailed answer and I think it makes sense.
I enabled the CSP headers from the conf.php file but chrome still warns about the same thing.

I've also set less strict headers in Apache to test, but the result is the same.
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval';"
The Chrome message is a bit misleading - it warns you about the usage of unsafe-eval (which is a bit silly as Chrome will only accept loading WASM dynamically when unsafe-eval is enabled, unlike Firefox which loads it just fine without that setting) and it implies that the script which loads the zlib WASM _would be affected_ if you were to disable it.
If you test your site using Chrome and create a paste, you can see in the JSON of the paste (in the network tab, it's the POST request sent after you hit the send button) that it indeed has the compression property set to "zlib" and not "none" (it's the key .adata[0][7] as per our API's JSON-LD schema), so Chrome does load the zlib WASM just fine and is able to use it.
I think this question has been answered and I am closing the issue. Please feel free to reply if you have follow-up questions or create a separate issue for different topics.
Most helpful comment
unsafe-evalis used for more then just wasm support, but also in the browser capability detection:https://github.com/PrivateBin/PrivateBin/blob/5a9bcea3a919af84e275dc77c80ea270272a4663/cfg/conf.sample.php#L86-L90
You can disable compressed pastes using a configuration option, but note three things: