Add CSP header to RDP page to allow WebAssembly execution

- Added Content-Security-Policy header with 'unsafe-eval' for script-src - Required for WebAssembly module loading in RDP client - Only applied to RDP HTML responses

Add CSP header to RDP page to allow WebAssembly execution
- Added Content-Security-Policy header with 'unsafe-eval' for script-src - Required for WebAssembly module loading in RDP client - Only applied to RDP HTML responses
8ae74833 · Stefy Lanza (nextime / spora ) · dedfd9f8 · 8ae74833
Commit 8ae74833 authored Sep 24, 2025 by Stefy Lanza (nextime / spora )
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

web.c wssshd2/web.c +3 -1

No files found.
--- a/wssshd2/web.c
+++ b/wssshd2/web.c
@@ -2444,7 +2444,9 @@ static int handle_request(int client_fd, const http_request_t *req) {
            char html[32768];
            int len = snprintf(html, sizeof(html), rdp_page_html,
                client_id, client_id, client_id, client_id, client_id);
-            send_response(client_fd, 200, "OK", "text/html", html, len, NULL, NULL);
+            // Add CSP header for WebAssembly support
+            const char *csp_header = "Content-Security-Policy: script-src 'self' 'unsafe-eval';";
+            send_response(client_fd, 200, "OK", "text/html", html, len, NULL, csp_header);
        } else {
            // Handle RDP actions (connect, disconnect)
            // Check if client exists