WebAssembly conflict with restrictive CSP in Chrome#3

First, thanks for this great package! I'm using it in my web-application, where it works wonderful, even for very large files (> 10 GB). Unfortunately, if a page has a restrictive Content-Security-Policy which does not allow `'unsafe-eval'` for `script-src`, the `WebAssembly.compile` will fail with: > CompileError: WebAssembly.compile(): Wasm code generation disallowed by embedder For more information see: https://github.com/WebAssembly/content-security-policy/issues/7 https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md I found a simply workaround which grabs the `WebAssembly` object from a page with `'unsafe-eval'` set, and overwrites the object from the "main window". This is possible using this JavaScript: ``` // @ts-expect-error window.WebAssembly = await (async () => new Promise((resolve) => { const iframe = document.createElement('iframe'); // This page is using `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'` iframe.src = '/wasm/'; iframe.addEventListener('load', () => { // @ts-expect-error const wasm = iframe.contentWindow?.WebAssembly ?? WebAssembly; document.body.removeChild(iframe); resolve(wasm); }); document.body.appendChild(iframe); }))(); ``` So **hash-wasm** is using the `WebAssembly` object from the iframe with `'unsafe-eval'` without to even know about this "hack". Since I don't like overwriting global objects, I think it would be a nice feature to be able to provide the `WebAssembly` object, which it should use, directly to **hash-wasm**.