Skip to content

fix(desktop): WASM not actually being used by xterm fix #383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AviPeltz merged 1 commit into from
Dec 16, 2025
+3 −3
Merged

fix(desktop): WASM not actually being used by xterm fix #383

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions apps/desktop/src/renderer/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

- default-src 'self': Only allow resources from same origin
- script-src 'self' https://*.posthog.com: Allow scripts from same origin + PostHog
- script-src 'self' 'wasm-unsafe-eval' https://*.posthog.com: Allow scripts from same origin + WebAssembly (for xterm ImageAddon) + PostHog
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Remove incorrect claim that xterm ImageAddon requires WebAssembly.

The comment states that 'wasm-unsafe-eval' is needed for xterm ImageAddon, but the addon processes images entirely in JavaScript and does not require WebAssembly. The encoder is documented as "not yet wasm optimized," confirming WASM is not currently used. Update the comment to reflect that this CSP directive is not needed for the ImageAddon specifically.

🤖 Prompt for AI Agents 
In apps/desktop/src/renderer/index.html around line 12, the inline comment
incorrectly claims that 'wasm-unsafe-eval' is required for xterm ImageAddon;
update the comment to remove or reword that claim and state that the ImageAddon
processes images in JavaScript and does not require WebAssembly, and if
'wasm-unsafe-eval' remains in the CSP, clarify it's for other unrelated WASM
uses (or remove it if not needed elsewhere).

- style-src 'self' 'unsafe-inline': Allow styles from same origin + inline (needed for CSS-in-JS)
- connect-src 'self' ws: wss: https://*.posthog.com: Allow WebSocket connections for HMR + PostHog analytics
- img-src 'self' data:: Allow images from same origin + data URIs
- img-src 'self' data: https://*.public.blob.vercel-storage.com: Allow images from same origin + data URIs + Vercel blob storage (avatars)
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Good fix for data URI syntax, but verify Vercel blob storage scope.

The correction from data:: to data: fixes invalid CSP syntax for data URIs—this is a proper bug fix.

However, adding https://*.public.blob.vercel-storage.com for avatar images appears unrelated to the WASM fix described in the PR title. Consider splitting unrelated changes into separate PRs for clearer change tracking.

- font-src 'self': Allow fonts from same origin
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://*.posthog.com; style-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss: https://*.posthog.com; img-src 'self' data:; font-src 'self';" />
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval' https://*.posthog.com; style-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss: https://*.posthog.com; img-src 'self' data: https://*.public.blob.vercel-storage.com; font-src 'self';" />
</head>

<body>
Expand Down