fix: remove wasm-unsafe-eval from Content-Security-Policy header

MudDev · MudDev · commit cecd85374ee5 · 2026-04-03T15:35:54.000-06:00
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
@@ -386,7 +386,7 @@ def sendHeader(self, status=200, content_type="text/html", noscript=False, allow
                 other_port = config.ui_port
                 frame_src = 'self'
 
-            headers["Content-Security-Policy"] = f"default-src 'none'; script-src 'nonce-{script_nonce}' 'wasm-unsafe-eval'; img-src 'self' blob: data:; style-src 'self' blob: 'unsafe-inline'; connect-src *; frame-src {frame_src}"
+            headers["Content-Security-Policy"] = f"default-src 'none'; script-src 'nonce-{script_nonce}'; img-src 'self' blob: data:; style-src 'self' blob: 'unsafe-inline'; connect-src *; frame-src {frame_src}"
 
         if allow_ajax:
             headers["Access-Control-Allow-Origin"] = "null"
