feat(electron): fix Content Security Policy to include 'wasm-unsafe-eval' for script execution

2026-04-25 22:02:16 +00:00 · 2026-04-23 17:46:31 -05:00
parent 4b9c16f6c3
commit 1d11a7ab06
4 changed files with 4 additions and 3 deletions
--- a/electron/crash.html
+++ b/electron/crash.html
@@ -4,7 +4,7 @@
        <meta charset="UTF-8" />
        <meta
            http-equiv="Content-Security-Policy"
-            content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"
+            content="default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"
        />
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
        <title>MeshChatX - Crash Report</title>
--- a/electron/loading.html
+++ b/electron/loading.html
@@ -3,7 +3,7 @@
        <meta charset="UTF-8" />
        <meta
            http-equiv="Content-Security-Policy"
-            content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' http://127.0.0.1:9337 https://127.0.0.1:9337 http://localhost:9337 https://localhost:9337;"
+            content="default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' http://127.0.0.1:9337 https://127.0.0.1:9337 http://localhost:9337 https://localhost:9337;"
        />
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
--- a/electron/main.js
+++ b/electron/main.js
@@ -506,7 +506,7 @@ app.whenReady().then(async () => {
        // Define a robust fallback CSP that matches our backend's policy
        const fallbackCsp = [
            "default-src 'self'",
-            "script-src 'self' 'unsafe-inline'",
+            "script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'",
            "style-src 'self' 'unsafe-inline'",
            "img-src 'self' data: blob: https://*.tile.openstreetmap.org https://tile.openstreetmap.org https://*.cartocdn.com https://tiles.openfreemap.org https://*.openfreemap.org",
            "font-src 'self' data: https://tiles.openfreemap.org https://*.openfreemap.org",
--- a/tests/backend/test_csp_logic.py
+++ b/tests/backend/test_csp_logic.py
@@ -66,6 +66,7 @@ async def test_csp_header_logic(mock_rns_minimal, tmp_path):
        assert "https://api.example.com" in csp
        assert "https://tiles.example.com" in csp
        assert "default-src 'self'" in csp
+        assert "wasm-unsafe-eval" in csp


@pytest.mark.asyncio