Add comprehensive Content Security Policy for RDP page

- Added full CSP header allowing WebAssembly, external scripts/styles, WebSocket connections
- Includes 'unsafe-eval' and 'unsafe-inline' for RDP functionality
- Allows CDN resources from jsdelivr and cloudflare
- Permits WebSocket connections for RDP protocol

wssshd2/web.c

@@ -2444,8 +2444,8 @@ static int handle_request(int client_fd, const http_request_t *req) {
             char html[32768];
             int len = snprintf(html, sizeof(html), rdp_page_html,
                 client_id, client_id, client_id, client_id, client_id);
-            // Add CSP header for WebAssembly support and external resources
-            const char *csp_header = "Content-Security-Policy: script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; font-src 'self' https://cdnjs.cloudflare.com;";
+            // Add comprehensive CSP header for RDP functionality
+            const char *csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; font-src 'self' https://cdnjs.cloudflare.com; img-src 'self' data:; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self'; form-action 'self';";
             send_response(client_fd, 200, "OK", "text/html", html, len, NULL, csp_header);
         } else {
             // Handle RDP actions (connect, disconnect)