Simplify CSP to fix eval blocking issues

- Simplified Content Security Policy to use wildcard https://* for external resources
- Reduced CSP length to prevent parsing issues
- Maintained 'unsafe-eval' for WebAssembly functionality
- CSP now allows all HTTPS resources while maintaining security

wssshd2/web.c

@@ -2445,7 +2445,7 @@ static int handle_request(int client_fd, const http_request_t *req) {
             int len = snprintf(html, sizeof(html), rdp_page_html,
                 client_id, client_id, client_id, client_id, client_id);
             // Add comprehensive CSP header for RDP functionality
-            const char *csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self' data: https://*; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self'; form-action 'self';";
+            const char *csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*; style-src 'self' 'unsafe-inline' https://*; font-src 'self' https://*; img-src 'self' data: https://*; connect-src 'self' ws: wss:; object-src 'none';";
             send_response(client_fd, 200, "OK", "text/html", html, len, NULL, csp_header);
         } else {
             // Handle RDP actions (connect, disconnect)