From 06085cda213a0ef0ff05af4e171112c2a61596f8 Mon Sep 17 00:00:00 2001
From: claude <claude@verso>
Date: Fri, 19 Jun 2026 14:35:26 +0000
Subject: [PATCH] fix(csp): allow WebAssembly instantiation via
 wasm-unsafe-eval

WebAssembly.instantiateStreaming() requires 'wasm-unsafe-eval' in the
script-src CSP directive. Unlike 'unsafe-eval', this only permits WASM
compilation and does not allow arbitrary eval() calls.

Needed for the typst.ts WASM preview (both compiler and renderer).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/web/app/src/infrastructure/CSP.mjs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/web/app/src/infrastructure/CSP.mjs b/services/web/app/src/infrastructure/CSP.mjs
index eb16282c9d..1f9b49d0b9 100644
--- a/services/web/app/src/infrastructure/CSP.mjs
+++ b/services/web/app/src/infrastructure/CSP.mjs
@@ -85,7 +85,7 @@ const buildViewPolicy = (
   viewDirectives
 ) => {
   const directives = [
-    `script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' https: 'report-sample'`, // only allow scripts from certain sources
+    `script-src 'nonce-${scriptNonce}' 'unsafe-inline' 'strict-dynamic' 'wasm-unsafe-eval' https: 'report-sample'`, // only allow scripts from certain sources
     `object-src 'none'`, // forbid loading an "object" element
     `base-uri 'none'`, // forbid setting a "base" element
     ...(viewDirectives ?? []),