[v1.14.39] Web terminal broken due to CSP blocking ghostty WASM data: URL

[ddandyy74]

Summary

The web terminal (Ghostty) is completely broken when accessing OpenCode web UI via non-localhost address. The Ghostty WASM module fails to load due to CSP restrictions.

Environment

• OpenCode version: v1.14.39 (latest as of 2026-05-06)
• Runtime: Bun, baseline variant (CPU lacks AVX/AVX2)
• Access method: HTTP Basic Auth, via IP address (http://10.10.22.22:43218)
• Browser: Chrome on Linux

Error

Connecting to 'data:application/wasm;base64,...' violates the following Content Security Policy directive: "connect-src *". Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches self's scheme. The scheme 'data:' must be added explicitly.

Current CSP

Server returns:

Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; media-src 'self' data:; connect-src *

The issue is ghostty-web-*.js loads the WASM module via a data: URL, but connect-src * does not allow data: scheme.

Related

• PR fix(app): load ghostty wasm via asset url #9186 proposed loading ghostty wasm via asset URL instead of data URL, but was closed without being merged
• Old issue Opencode Web: Terminal not working #7578 was closed but the underlying CSP issue persists in v1.14.39

Suggested Fix

Either:

1. Add data: to connect-src in CSP header: connect-src * data:
2. Or merge the approach from PR fix(app): load ghostty wasm via asset url #9186 to load WASM via asset URL instead of data URL

This makes the web terminal completely unusable for remote/headless server deployments.

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Regression: Web terminal broken in v1.14.38 - CSP blocks Ghostty WASM (data: URIs) #25893: Regression: Web terminal broken in v1.14.38 - CSP blocks Ghostty WASM (data: URIs) — nearly identical issue (same error, same version range, same root cause)
• Web terminal fails under CSP when Ghostty WASM loads via data URL #9185: Web terminal fails under CSP when Ghostty WASM loads via data URL — same underlying problem with the same proposed fix
• Bug: Web Terminal & Styles fail to load due to strict CSP (WASM/data: URI blocked) #9420: Bug: Web Terminal & Styles fail to load due to strict CSP (WASM/data: URI blocked) — same CSP/data: URI blocking issue

If your issue is distinct (e.g. it persists after fixes applied for those issues, or has a different environment-specific trigger), please clarify what differentiates it from those reports.

[ddandyy74]

Closing as duplicate. The fix was merged in PR #25937 after v1.14.39 was released. Should be fixed in the next version.