Skip to content

wsssh
wsssh
Commit 254810cc authored by Stefy Lanza (nextime / spora )'s avatar Stefy Lanza (nextime / spora )
Browse files
Options

Simplify CSP to fix eval blocking issues 

- Simplified Content Security Policy to use wildcard https://* for external resources
- Reduced CSP length to prevent parsing issues
- Maintained 'unsafe-eval' for WebAssembly functionality
- CSP now allows all HTTPS resources while maintaining security
parent 01bf91aa
Hide whitespace changes
Inline Side-by-side
Showing with 1 addition and 1 deletion
wssshd2/web.c
View file @ 254810cc
......@@ -2445,7 +2445,7 @@ static int handle_request(int client_fd, const http_request_t *req) {
int len = snprintf(html, sizeof(html), rdp_page_html,
client_id, client_id, client_id, client_id, client_id);
// Add comprehensive CSP header for RDP functionality
const char *csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self' data: https://*; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self'; form-action 'self';";
const char *csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*; style-src 'self' 'unsafe-inline' https://*; font-src 'self' https://*; img-src 'self' data: https://*; connect-src 'self' ws: wss:; object-src 'none';";
send_response(client_fd, 200, "OK", "text/html", html, len, NULL, csp_header);
} else {
// Handle RDP actions (connect, disconnect)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment