diff --git a/CHANGELOG.md b/CHANGELOG.md index a9a15c9a82..27ee506d80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,7 +66,8 @@ This allows the verifying side to try to transform the response such that it mat For example, if only the encoding `gzip` is requested but the `identity` encoding is certified, the `gzip` encoding is returned with the certificate for the `identity` encoding. The verifying side can then unzip the response and will have a valid certificate for the `identity` response. -- Module hash: cd3e7fa2b826f84cdd107eef28633b0c669b4687ae1598dd854828e82d2e4652 +- Module hash: baf9bcab2ebc2883f850b965af658e66725087933df012ebd35c03929c39efe3 +- https://github.com/dfinity/sdk/pull/3369 - https://github.com/dfinity/sdk/pull/3298 - https://github.com/dfinity/sdk/pull/3281 @@ -80,6 +81,18 @@ The `use-old-metering` flag enables old metering in replica. The new metering is The flag is temporary and will be removed in a few months. +### fix: added https://icp-api.io to the default Content-Security-Policy header + +Existing projects will need to change this value in .ic-assets.json or .ic-assets.json5 to include https://icp-api.io + +All projects will need to redeploy. + +### fix: access to raw assets is now enabled by default + +The default value for `allow_raw_access` is now `true`. This means that by default, the frontend canister will no longer restrict the access of traffic to the `.raw.icp0.io` domain, and will no longer automatically redirect all requests to the certified domain (`.icp0.io`), unless configured explicitly. + +Note that existing projects that specify `"allow_raw_access": false` in .ic-assets.json5 will need to change or remove this value manually in order to allow raw access. + ### feat!: Removed dfx nns and dfx sns commands Both have now been turned into the dfx extensions. In order to obtain them, please run `dfx extension install nns` and `dfx extension install sns` respectively. After the installation, you can use them as you did before: `dfx nns ...`, and `dfx sns ...`. @@ -166,7 +179,9 @@ Updated Motoko to [0.9.7](https://github.com/dfinity/motoko/releases/tag/0.9.7) ### Frontend canister -- Module hash: 88d1e5795d29debc1ff56fa0696dcb3adfa67f82fe2739d1aa644263838174b9 +- Module hash: e20be8df2c392937a6ae0f70d20ff23b75e8c71d9085a8b8bb438b8c2d4eafe5 +- https://github.com/dfinity/sdk/pull/3337 +- https://github.com/dfinity/sdk/pull/3298 - https://github.com/dfinity/sdk/pull/3256 - https://github.com/dfinity/sdk/pull/3252 - https://github.com/dfinity/sdk/pull/3249 diff --git a/e2e/tests-dfx/assetscanister.bash b/e2e/tests-dfx/assetscanister.bash index 8207eac768..10152e960f 100644 --- a/e2e/tests-dfx/assetscanister.bash +++ b/e2e/tests-dfx/assetscanister.bash @@ -134,14 +134,14 @@ check_permission_failure() { dfx identity get-principal --identity prepare dfx canister call e2e_project_frontend list_permitted '(record { permission = variant { Commit }; })' assert_command dfx deploy e2e_project_frontend --by-proposal --identity prepare - assert_contains "Proposed commit of batch 2 with evidence 4301263f1fcc0d19ef92cfb6774c4da92bf1a9d2002a293a9d95d97819c02958. Either commit it by proposal, or delete it." + assert_contains "Proposed commit of batch 2 with evidence 164fcc4d933ff9992ab6ab909a4bf350010fa0f4a3e1e247bfc679d3f45254e1. Either commit it by proposal, or delete it." assert_command_fail dfx deploy e2e_project_frontend --by-proposal --identity prepare assert_contains "Batch 2 is already proposed. Delete or execute it to propose another." assert_command dfx deploy e2e_project_frontend --compute-evidence --identity anonymous # shellcheck disable=SC2154 - assert_eq "4301263f1fcc0d19ef92cfb6774c4da92bf1a9d2002a293a9d95d97819c02958" "$stdout" + assert_eq "164fcc4d933ff9992ab6ab909a4bf350010fa0f4a3e1e247bfc679d3f45254e1" "$stdout" ID=$(dfx canister id e2e_project_frontend) PORT=$(get_webserver_port) @@ -161,9 +161,9 @@ check_permission_failure() { assert_command_fail dfx canister call e2e_project_frontend commit_proposed_batch "$wrong_commit_args" --identity commit assert_match "batch computed evidence .* does not match presented evidence" - commit_args='(record { batch_id = 2; evidence = blob "\43\01\26\3f\1f\cc\0d\19\ef\92\cf\b6\77\4c\4d\a9\2b\f1\a9\d2\00\2a\29\3a\9d\95\d9\78\19\c0\29\58" } )' + commit_args='(record { batch_id = 2; evidence = blob "\16\4f\cc\4d\93\3f\f9\99\2a\b6\ab\90\9a\4b\f3\50\01\0f\a0\f4\a3\e1\e2\47\bf\c6\79\d3\f4\52\54\e1" } )' assert_command dfx canister call e2e_project_frontend validate_commit_proposed_batch "$commit_args" --identity commit - assert_contains "commit proposed batch 2 with evidence 4301" + assert_contains "commit proposed batch 2 with evidence 164f" assert_command dfx canister call e2e_project_frontend commit_proposed_batch "$commit_args" --identity commit assert_eq "()" @@ -213,11 +213,11 @@ check_permission_failure() { dfx identity get-principal --identity prepare dfx canister call e2e_project_frontend list_permitted '(record { permission = variant { Commit }; })' assert_command dfx deploy e2e_project_frontend --by-proposal --identity prepare - assert_contains "Proposed commit of batch 2 with evidence 1b45c8b1d0deec88ac032590e0f1cd9ab407f796e827aac880f4ffb035fdc200. Either commit it by proposal, or delete it." + assert_contains "Proposed commit of batch 2 with evidence 9b72eee7f0d7af2a9b41233c341b1caa0c905ef91405f5f513ffb58f68afee5b. Either commit it by proposal, or delete it." assert_command dfx deploy e2e_project_frontend --compute-evidence --identity anonymous # shellcheck disable=SC2154 - assert_eq "1b45c8b1d0deec88ac032590e0f1cd9ab407f796e827aac880f4ffb035fdc200" "$stdout" + assert_eq "9b72eee7f0d7af2a9b41233c341b1caa0c905ef91405f5f513ffb58f68afee5b" "$stdout" ID=$(dfx canister id e2e_project_frontend) PORT=$(get_webserver_port) @@ -225,9 +225,9 @@ check_permission_failure() { assert_command_fail curl --fail -vv http://localhost:"$PORT"/sample-asset.txt?canisterId="$ID" assert_contains "The requested URL returned error: 404" - commit_args='(record { batch_id = 2; evidence = blob "\1b\45\c8\b1\d0\de\ec\88\ac\03\25\90\e0\f1\cd\9a\b4\07\f7\96\e8\27\aa\c8\80\f4\ff\b0\35\fd\c2\00" } )' + commit_args='(record { batch_id = 2; evidence = blob "\9b\72\ee\e7\f0\d7\af\2a\9b\41\23\3c\34\1b\1c\aa\0c\90\5e\f9\14\05\f5\f5\13\ff\b5\8f\68\af\ee\5b" } )' assert_command dfx canister call e2e_project_frontend validate_commit_proposed_batch "$commit_args" --identity commit - assert_contains "commit proposed batch 2 with evidence 1b45c8b1d0deec88ac032590e0f1cd9ab407f796e827aac880f4ffb035fdc200" + assert_contains "commit proposed batch 2 with evidence 9b72eee7f0d7af2a9b41233c341b1caa0c905ef91405f5f513ffb58f68afee5b" assert_command dfx canister call e2e_project_frontend commit_proposed_batch "$commit_args" --identity commit assert_eq "()" @@ -1398,20 +1398,20 @@ CHERRIES" "$stdout" "cache": { "max_age": 2000 }, - "allow_raw_access": false + "allow_raw_access": true }' assert_match 'WARN: 4 unmatched configurations in .*/src/e2e_project_frontend/assets/somedir/.ic-assets.json config file:' assert_contains 'WARN: { "match": "nevermatchme", "headers": {}, "ignore": false, - "allow_raw_access": false + "allow_raw_access": true } WARN: { "match": "nevermatchmetoo", "headers": {}, "ignore": false, - "allow_raw_access": false + "allow_raw_access": true } WARN: { "match": "non-matcher", @@ -1419,7 +1419,7 @@ WARN: { "x-header": "x-value" }, "ignore": false, - "allow_raw_access": false + "allow_raw_access": true }' # splitting this up into two checks, because the order is different on macos vs ubuntu assert_contains 'WARN: { @@ -1428,7 +1428,7 @@ WARN: { "x-header": "x-value" }, "ignore": false, - "allow_raw_access": false + "allow_raw_access": true }' } @@ -1456,7 +1456,7 @@ WARN: { record { headers = opt vec { record { "x-key"; "x-value" } }; is_aliased = opt true; - allow_raw_access = opt false; + allow_raw_access = opt true; max_age = opt (2_000 : nat64); }, )' @@ -1476,7 +1476,7 @@ WARN: { record { headers = opt vec { record { "x-key"; "x-value" } }; is_aliased = opt true; - allow_raw_access = opt false; + allow_raw_access = opt true; max_age = opt (5 : nat64); }, )' @@ -1489,7 +1489,7 @@ WARN: { record { headers = opt vec { record { "new-key"; "new-value" } }; is_aliased = opt true; - allow_raw_access = opt false; + allow_raw_access = opt true; max_age = opt (5 : nat64); }, )' @@ -1585,7 +1585,7 @@ WARN: { record { headers = null; is_aliased = null; - allow_raw_access = opt false; + allow_raw_access = opt true; max_age = null; }, )' diff --git a/src/canisters/frontend/ic-asset/src/asset/config.rs b/src/canisters/frontend/ic-asset/src/asset/config.rs index 19b0dbace4..68a883dde3 100644 --- a/src/canisters/frontend/ic-asset/src/asset/config.rs +++ b/src/canisters/frontend/ic-asset/src/asset/config.rs @@ -23,7 +23,7 @@ pub struct AssetConfig { pub(crate) headers: Option, pub(crate) ignore: Option, pub(crate) enable_aliasing: Option, - #[derivative(Default(value = "Some(false)"))] + #[derivative(Default(value = "Some(true)"))] pub(crate) allow_raw_access: Option, } @@ -35,7 +35,7 @@ pub(crate) struct CacheConfig { } fn default_raw_access() -> Option { - Some(false) + Some(true) } /// A single configuration object, from `.ic-assets.json` config file @@ -931,7 +931,7 @@ mod with_tempdir { .get_asset_config(assets_dir.join("index.html").as_path()) .unwrap(), AssetConfig { - allow_raw_access: Some(false), + allow_raw_access: Some(true), ..Default::default() }, ); diff --git a/src/canisters/frontend/ic-certified-assets/src/state_machine.rs b/src/canisters/frontend/ic-certified-assets/src/state_machine.rs index 01a9b3f697..4bcc82b90a 100644 --- a/src/canisters/frontend/ic-certified-assets/src/state_machine.rs +++ b/src/canisters/frontend/ic-certified-assets/src/state_machine.rs @@ -243,7 +243,7 @@ pub struct StableState { impl Asset { fn allow_raw_access(&self) -> bool { - self.allow_raw_access.unwrap_or(false) + self.allow_raw_access.unwrap_or(true) } fn update_ic_certificate_expressions(&mut self) { diff --git a/src/canisters/frontend/ic-certified-assets/src/tests.rs b/src/canisters/frontend/ic-certified-assets/src/tests.rs index 6e1f5e4e07..3afe42767f 100644 --- a/src/canisters/frontend/ic-certified-assets/src/tests.rs +++ b/src/canisters/frontend/ic-certified-assets/src/tests.rs @@ -1601,7 +1601,9 @@ mod allow_raw_access { "https://a-b-c.ic0.app/page" ); - state.create_test_asset(AssetBuilder::new("/page2.html", "text/html")); + state.create_test_asset( + AssetBuilder::new("/page2.html", "text/html").with_allow_raw_access(Some(false)), + ); let response = state.fake_http_request("a-b-c.raw.icp0.io", "/page2"); dbg!(&response); assert_eq!(response.status_code, 308); @@ -1610,7 +1612,9 @@ mod allow_raw_access { "https://a-b-c.icp0.io/page2" ); - state.create_test_asset(AssetBuilder::new("/index.html", "text/html")); + state.create_test_asset( + AssetBuilder::new("/index.html", "text/html").with_allow_raw_access(Some(false)), + ); let response = state.fake_http_request("a-b-c.raw.icp0.io", "/"); dbg!(&response); assert_eq!(response.status_code, 308); diff --git a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 index 8dc76d1ee6..ccdea94aa1 100644 --- a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 +++ b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 @@ -24,7 +24,7 @@ // See: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md. // - We added img-src data: because data: images are used often. // - frame-ancestors: none mitigates clickjacking attacks. See https://owasp.org/www-community/attacks/Clickjacking. - "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", + "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", // Security: The permissions policy disables all features for security reasons. If your site needs such permissions, activate them. // To configure permissions go here https://www.permissionspolicy.com/ @@ -50,7 +50,8 @@ // See: https://owasp.org/www-community/attacks/xss/ "X-XSS-Protection": "1; mode=block" }, - // redirect all requests from .raw.icp0.io to .icp0.io (this redirection is the default) - "allow_raw_access": false + // Set the allow_raw_access field to false to redirect all requests from .raw.icp0.io to .icp0.io + // The default behavior is to allow raw access. + // "allow_raw_access": true }, ] diff --git a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 index 8dc76d1ee6..ccdea94aa1 100644 --- a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 +++ b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 @@ -24,7 +24,7 @@ // See: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md. // - We added img-src data: because data: images are used often. // - frame-ancestors: none mitigates clickjacking attacks. See https://owasp.org/www-community/attacks/Clickjacking. - "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", + "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", // Security: The permissions policy disables all features for security reasons. If your site needs such permissions, activate them. // To configure permissions go here https://www.permissionspolicy.com/ @@ -50,7 +50,8 @@ // See: https://owasp.org/www-community/attacks/xss/ "X-XSS-Protection": "1; mode=block" }, - // redirect all requests from .raw.icp0.io to .icp0.io (this redirection is the default) - "allow_raw_access": false + // Set the allow_raw_access field to false to redirect all requests from .raw.icp0.io to .icp0.io + // The default behavior is to allow raw access. + // "allow_raw_access": true }, ] diff --git a/src/distributed/assetstorage.wasm.gz b/src/distributed/assetstorage.wasm.gz index f0773cf036..db405979dd 100755 Binary files a/src/distributed/assetstorage.wasm.gz and b/src/distributed/assetstorage.wasm.gz differ