Remove CSP entirely for RDP pages

- Removed Content Security Policy header for RDP pages - CSP was blocking WebAssembly eval() and other required functionality - RDP pages now load without CSP restrictions - WebAssembly and RDP client can now execute properly

Remove CSP entirely for RDP pages
- Removed Content Security Policy header for RDP pages - CSP was blocking WebAssembly eval() and other required functionality - RDP pages now load without CSP restrictions - WebAssembly and RDP client can now execute properly
21d4c66a · Stefy Lanza (nextime / spora ) · 254810cc · 21d4c66a
Commit 21d4c66a authored Sep 24, 2025 by Stefy Lanza (nextime / spora )
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 3 deletions

web.c wssshd2/web.c +2 -3

No files found.
--- a/wssshd2/web.c
+++ b/wssshd2/web.c
@@ -2444,9 +2444,8 @@ static int handle_request(int client_fd, const http_request_t *req) {
            char html[32768];
            int len = snprintf(html, sizeof(html), rdp_page_html,
                client_id, client_id, client_id, client_id, client_id);
-            // Add comprehensive CSP header for RDP functionality
-            const char *csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*; style-src 'self' 'unsafe-inline' https://*; font-src 'self' https://*; img-src 'self' data: https://*; connect-src 'self' ws: wss:; object-src 'none';";
-            send_response(client_fd, 200, "OK", "text/html", html, len, NULL, csp_header);
+            // No CSP header for RDP pages to avoid blocking WebAssembly
+            send_response(client_fd, 200, "OK", "text/html", html, len, NULL, NULL);
        } else {
            // Handle RDP actions (connect, disconnect)
            // Check if client exists