fix(desktop): WASM not actually being used by xterm fix

[AviPeltz]

Description

Related Issues

Type of Change

• [ x] Bug fix
• New feature
• Documentation
• Refactor
• Other (please describe):

Testing

Screenshots (if applicable)

Additional Notes

Summary by CodeRabbit

• Updates
  • Enhanced browser security policies to support avatar image loading from cloud storage and WebAssembly-based terminal rendering capabilities.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This change updates the Content Security Policy (CSP) directives in the desktop renderer HTML file. The script-src is expanded to permit WebAssembly unsafe evaluation for xterm ImageAddon, while img-src is refined to allow avatar images from Vercel blob storage while correcting the data URI syntax.

Changes

Cohort / File(s)	Summary
CSP directives update apps/desktop/src/renderer/index.html	Updated script-src to include 'wasm-unsafe-eval' for WebAssembly/xterm ImageAddon support and PostHog scripts; corrected img-src from data:: to data: and added https://*.public.blob.vercel-storage.com for avatar images; aligned meta tag and comments with new policy

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Security consideration: CSP directives control script and resource loading; verify that 'wasm-unsafe-eval' is necessary and that Vercel blob storage domain restriction is intentional
• Syntax accuracy: Confirm data: URI syntax is correct (previously data::) and aligns with actual usage

Poem

🐰 A CSP tale, I do proclaim,
WebAssembly flows without shame,
Avatars from Vercel's store,
Security tightened, forevermore,
Blobs and scripts in harmony dwell! 📜

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description uses the correct template structure but fails to provide substantive content in critical sections including Description, Related Issues, Testing, and Additional Notes.	Fill in the Description section explaining the WASM issue and CSP fix, link any related issues, document how the fix was tested, and add context about why these CSP changes were necessary.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the main change: fixing WebAssembly (WASM) usage in xterm by updating the Content Security Policy to include 'wasm-unsafe-eval'.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch external-fish-b3df1e

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

Service	Status
Database (Neon)	✅

Thank you for your contribution! 🎉

---

Preview resources have been processed for cleanup

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d9c6056 and f12cadf.

📒 Files selected for processing (1)

• apps/desktop/src/renderer/index.html (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-12T05:45:09.686Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-12T05:45:09.686Z
Learning: Applies to apps/desktop/src/renderer/**/*.{ts,tsx,js,jsx} apps/desktop/src/lib/**/*.{ts,tsx,js,jsx} apps/desktop/src/shared/**/*.{ts,tsx,js,tsx} : Never import Node.js modules in renderer process or shared code, only in main process

Applied to files:

• apps/desktop/src/renderer/index.html

🔇 Additional comments (1)

apps/desktop/src/renderer/index.html (1)

18-18: The 'wasm-unsafe-eval' addition is correct and documented.

xterm ImageAddon provides inline image output supporting SIXEL and iTerm's inline image protocol (IIP), which uses WebAssembly. 'wasm-unsafe-eval' controls WebAssembly execution, and if not specified in the script-src directive, WebAssembly is blocked from loading and executing on the page. The inline HTML comment already explains this purpose.

The 'wasm-unsafe-eval' source expression is more specific than 'unsafe-eval', which permits both compilation and instantiation of WebAssembly and the use of the eval operation in JavaScript. This is the standard approach recommended by W3C and browser vendors for enabling WASM support while maintaining CSP security.

No further action needed on the CSP directive itself. The change is justified, necessary, and properly documented.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove incorrect claim that xterm ImageAddon requires WebAssembly.

The comment states that 'wasm-unsafe-eval' is needed for xterm ImageAddon, but the addon processes images entirely in JavaScript and does not require WebAssembly. The encoder is documented as "not yet wasm optimized," confirming WASM is not currently used. Update the comment to reflect that this CSP directive is not needed for the ImageAddon specifically.

🤖 Prompt for AI Agents

In apps/desktop/src/renderer/index.html around line 12, the inline comment
incorrectly claims that 'wasm-unsafe-eval' is required for xterm ImageAddon;
update the comment to remove or reword that claim and state that the ImageAddon
processes images in JavaScript and does not require WebAssembly, and if
'wasm-unsafe-eval' remains in the CSP, clarify it's for other unrelated WASM
uses (or remove it if not needed elsewhere).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Good fix for data URI syntax, but verify Vercel blob storage scope.

The correction from data:: to data: fixes invalid CSP syntax for data URIs—this is a proper bug fix.

However, adding https://*.public.blob.vercel-storage.com for avatar images appears unrelated to the WASM fix described in the PR title. Consider splitting unrelated changes into separate PRs for clearer change tracking.