Relax II's CSP-policies, to enable calling custom domains (#2344)

* Relax II's CSP-policies, to enable calling custom domains * 🤖 cargo-fmt auto-update * Allow http: for all in DEV-mode Co-authored-by: Frederik Rothenberger <frederik.rothenberger@dfinity.org> * Adjust documentation --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Frederik Rothenberger <frederik.rothenberger@dfinity.org>
dfinity · Mar 8, 2024 · 36621c4 · 36621c4
1 parent c4671aa
commit 36621c4
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -140,7 +140,7 @@ frontend. -->
 | `II_FETCH_ROOT_KEY` | When enabled, this instructs the frontend code to fetch the "root key" from the replica.<br/>The Internet Computer (https://ic0.app) uses a private key to sign responses. This private key not being available locally, the (local) replica generates its own. This option effectively tells the Internet Identity frontend to fetch the public key from the replica it connects to. When this option is _not_ enabled, the Internet Identity frontend code will use the (hard coded) public key of the Internet Computer. |
 | `II_DUMMY_CAPTCHA` | When enabled, the CAPTCHA challenge (sent by the canister code to the frontend code) is always the known string `"a"`. This is useful for automated testing. |
 | `II_DUMMY_AUTH` | When enabled, the frontend code will use a known, stable private key for registering anchors and authenticating. This means that all anchors will have the same public key(s). In particular this bypasses the WebAuthn flows (TouchID, Windows Hello, etc), which simplifies automated testing. |
-| `II_DEV_CSP` | When enabled, the content security policy is weakend to allow connections to II using HTTP and allow II to connect to localhost (and subdomains) in order to facilitate local development. |
+| `II_DEV_CSP` | When enabled, the content security policy is weakend to allow connections to II using HTTP and allow II to connect via http in order to facilitate development.                                                                                                                                                                                                                                                                                                                                                       |
 
 ### Flavors
 

diff --git a/scripts/build b/scripts/build
@@ -199,7 +199,7 @@ function build_internet_identity() {
       echo "USING DUMMY CAPTCHA"
       extra_build_args+=( --features dummy_captcha )
   fi
-  # This enables the "dev_csp" feature which weakens the content security policy to facilitate local development.
+  # This enables the "dev_csp" feature which weakens the content security policy to facilitate development.
   # WARNING: this MUST be opt-in, because we DO NOT want this in production.
   if [ "${II_DEV_CSP:-}" == "1" ]
   then

diff --git a/src/canister_tests/src/framework.rs b/src/canister_tests/src/framework.rs
@@ -418,7 +418,7 @@ xr-spatial-tracking=()",
 
     let rgx = Regex::new(
         "^default-src 'none';\
-connect-src 'self' https://identity.internetcomputer.org https://icp-api.io https://\\*\\.icp0.io https://\\*\\.ic0.app;\
+connect-src 'self' https:;\
 img-src 'self' data:;\
 script-src 'strict-dynamic' ('[^']+' )*'unsafe-inline' 'unsafe-eval' https:;\
 base-uri 'none';\
@@ -427,7 +427,7 @@ style-src 'self' 'unsafe-inline';\
 style-src-elem 'self' 'unsafe-inline';\
 font-src 'self';\
 frame-ancestors 'none';\
-upgrade-insecure-requests;$"
+upgrade-insecure-requests;$",
     )
     .unwrap();
 

diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs
@@ -181,11 +181,11 @@ fn content_security_policy_header(integrity_hashes: Vec<String>) -> String {
         )
     };
 
-    let connect_src = "'self' https://identity.internetcomputer.org https://icp-api.io https://*.icp0.io https://*.ic0.app";
+    let connect_src = "'self' https:";
 
-    // Allow connecting to localhost, including subdomains, on http and https for local development purposes
+    // Allow connecting via http for development purposes
     #[cfg(feature = "dev_csp")]
-        let connect_src = format!("{connect_src} http://localhost:* http://*.localhost:* https://localhost:* https://*.localhost:*");
+    let connect_src = format!("{connect_src} http:");
     let csp = format!(
         "default-src 'none';\
          connect-src {connect_src};\