From ccbc28322e538ce0c8a83d219e0560994ddf22a8 Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Sun, 18 Aug 2024 17:20:46 -0500
Subject: [PATCH] Add wasm-unsafe-eval to CSP for LNC (#1313)

---
 middleware.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware.js b/middleware.js
index 0659e365..b25c6ec5 100644
--- a/middleware.js
+++ b/middleware.js
@@ -91,7 +91,7 @@ export function middleware (request) {
     // Using nonces and strict-dynamic deploys a strict CSP.
     // see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy.
     // Old browsers will ignore nonce and strict-dynamic and fallback to host-based matching and unsafe-inline
-    `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:` + devScriptSrc,
+    `script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' 'nonce-${nonce}' 'strict-dynamic' https:` + devScriptSrc,
     // unsafe-inline for styles is not ideal but okay if script-src is using nonces
     "style-src 'self' a.stacker.news 'unsafe-inline'",
     "manifest-src 'self'",