From 624f5ce00bd8bfe83b526b1883b8701394fb3deb Mon Sep 17 00:00:00 2001 From: Till JS Date: Wed, 8 Apr 2026 18:05:30 +0200 Subject: [PATCH] fix(csp): allow wasm-unsafe-eval so @mana/local-llm can instantiate WebLLM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit WebAssembly.instantiate() was blocked by script-src on every app using shared security headers. 'wasm-unsafe-eval' is the narrow CSP source that whitelists WASM compilation only — it does NOT re-enable eval() or new Function(). Required by the MLC WebGPU runtime that powers the in-browser Qwen models on /llm-test. Co-Authored-By: Claude Opus 4.6 (1M context) --- packages/shared-utils/src/security-headers.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/shared-utils/src/security-headers.ts b/packages/shared-utils/src/security-headers.ts index 4209e9993..074bb32e0 100644 --- a/packages/shared-utils/src/security-headers.ts +++ b/packages/shared-utils/src/security-headers.ts @@ -61,7 +61,11 @@ export function setSecurityHeaders(response: Response, options: SecurityHeadersO // Content Security Policy const cspDirectives = [ "default-src 'self'", - `script-src 'self' 'unsafe-inline' https://stats.mana.how https://glitchtip.mana.how ${scriptSrc.join(' ')}`.trim(), + // 'wasm-unsafe-eval' is required by @mana/local-llm (WebLLM) to + // instantiate the MLC WebGPU runtime. It only permits WebAssembly + // compilation, NOT eval()/new Function() — much narrower than the + // legacy 'unsafe-eval' source. Supported by all evergreen browsers. + `script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://stats.mana.how https://glitchtip.mana.how ${scriptSrc.join(' ')}`.trim(), "style-src 'self' 'unsafe-inline'", `img-src 'self' data: blob: https: ${imgSrc.join(' ')}`.trim(), `connect-src 'self' https://stats.mana.how https://glitchtip.mana.how ${connectSrc.join(' ')}`.trim(),