diff --git a/apps/desktop/src/renderer/index.html b/apps/desktop/src/renderer/index.html
index 395a5d00acd..38373dd0d66 100644
--- a/apps/desktop/src/renderer/index.html
+++ b/apps/desktop/src/renderer/index.html
@@ -9,13 +9,13 @@
       https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
 
       - default-src 'self': Only allow resources from same origin
-      - script-src 'self' https://*.posthog.com: Allow scripts from same origin + PostHog
+      - script-src 'self' 'wasm-unsafe-eval' https://*.posthog.com: Allow scripts from same origin + WebAssembly (for xterm ImageAddon) + PostHog
       - style-src 'self' 'unsafe-inline': Allow styles from same origin + inline (needed for CSS-in-JS)
       - connect-src 'self' ws: wss: https://*.posthog.com: Allow WebSocket connections for HMR + PostHog analytics
-      - img-src 'self' data:: Allow images from same origin + data URIs
+      - img-src 'self' data: https://*.public.blob.vercel-storage.com: Allow images from same origin + data URIs + Vercel blob storage (avatars)
       - font-src 'self': Allow fonts from same origin
     -->
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://*.posthog.com; style-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss: https://*.posthog.com; img-src 'self' data:; font-src 'self';" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval' https://*.posthog.com; style-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss: https://*.posthog.com; img-src 'self' data: https://*.public.blob.vercel-storage.com; font-src 'self';" />
   </head>
 
   <body>