fix: add icp-api.io to default CSP; default to allow raw access (#3327)

* fix: add icp0-api.io to default CSP; default to allow raw access * chore: port updates to cdk 0.10.0, candid 0.9 for release 0.14.4 (#3330) Co-authored-by: Yan Chen <[email protected]> Co-authored-by: Linwei Shang <[email protected]>
dfinity · Aug 26, 2023 · 6d7422a · 6d7422a
1 parent 44a3856
commit 6d7422a
Show file tree

Hide file tree

Showing 37 changed files with 1,180 additions and 274 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -57,9 +57,10 @@ jobs:
  rustup default ${{ matrix.rust }}
  cargo install --force --version ${{ matrix.cargo-audit }} cargo-audit --locked
  - name: Audit
+ # ignores RUSTSEC-2020-0071 because it is 'only' in a dev dependency (ic-certified-responses -> ic-types -> chrono -> time)
  run: |
  cd sdk
- cargo audit --no-fetch --db "${GITHUB_WORKSPACE}"/advisory-db
+ cargo audit --no-fetch --db "${GITHUB_WORKSPACE}"/advisory-db --ignore RUSTSEC-2020-0071
  env:
  RUST_BACKTRACE: 1
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,32 @@
 # dfx changelog
 
+# 0.14.4
+
+## DFX
+
+### fix: added https://icp-api.io to the default Content-Security-Policy header
+
+Existing projects will need to change this value in .ic-assets.json or .ic-assets.json5 to include https://icp-api.io
+
+All projects will need to redeploy.
+
+### fix: access to raw assets is now enabled by default
+
+The default value for `allow_raw_access` is now `true`. This means that by default, the frontend canister will no longer restrict the access of traffic to the `<canister-id>.raw.icp0.io` domain, and will no longer automatically redirect all requests to the certified domain (`<canister-id>.icp0.io`), unless configured explicitly.
+
+Note that existing projects that specify `"allow_raw_access": false` in .ic-assets.json5 will need to change or remove this value manually in order to allow raw access.
+
+## Dependencies
+
+### Updated candid to 0.9.0
+
+### Updated cdk-rs to 0.10.0
+
+### Frontend canister
+
+- Module hash: d5c324fea6b0f8eaa9feede10b342b098f7cf64682e168e58fa2ca2bf028b96f
+- https://github.com/dfinity/sdk/pull/3327
+
 # 0.14.3
 
 ## Dependencies
@@ -12,8 +39,6 @@ This removes a dependency on OpenSSL in order to avoid spurious errors that refe
 
 # 0.14.2
 
-Note: Canister http functionality is broken. Do not release dfx until this is corrected. See https://dfinity.atlassian.net/browse/SDK-1129
-
 ## DFX
 
 ### feat: deprecate `dfx bootstrap` and `dfx replica` commands