feat: Make internet_identity_frontend a pullable DFX dependency (#3685)

aterga · claude · Copilot · web-flow · commit 3fe023906a0d · 2026-03-20T14:37:08.000Z
# Make `internet_identity_frontend` a pullable dependency Add `candid:args` and `dfx` pullable metadata to the frontend canister build (matching the existing backend pattern), with `internet_identity` declared as a dependency. Includes a `frontend_init_arg()` helper with local dev defaults. < [Previous PR](#3683) | --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
diff --git a/scripts/build b/scripts/build
@@ -118,6 +118,15 @@ EOF
 	printf '%s\n' "$init_arg"
 }
 
+frontend_init_arg() {
+	local init_arg
+	init_arg=$(cat <<'EOF'
+(record { fetch_root_key = opt true; backend_canister_id = principal "rdmx6-jaaaa-aaaaa-aaadq-cai"; related_origins = opt vec { "http://uqzsh-gqaaa-aaaaq-qaada-cai.localhost:4943" }; backend_origin = "http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:4943"; dev_csp = opt true})
+EOF
+)
+	printf '%s\n' "$init_arg"
+}
+
 # Builds a single canister
 # build_canister CANISTER EXTRA_BUILD_ARGS...
 # CANISTER: possible values: [internet_identity, archive]
@@ -194,6 +203,33 @@ function build_canister() {
               ic-wasm "$canister.wasm" -o "$canister.wasm" metadata dfx -d "$metadata_json" -v public
           fi
 
+        fi
+
+        if [ "$canister" == "internet_identity_frontend" ]
+        then
+          # indicate the frontend canister init argument type
+          ic-wasm "$canister.wasm" -o "$canister.wasm" metadata candid:args -d "(InternetIdentityFrontendInit)" -v public
+
+          # Write pullable metadata for dfx.
+          IFS=, read -r -a version_parts <<< "$II_VERSION"
+          release="${version_parts[1]}"
+          if [ -n "$release" ]
+          then
+              asset_name="internet_identity_frontend.wasm.gz"
+              wasm_url="https://github.com/dfinity/internet-identity/releases/download/$release/$asset_name"
+              wasm_hash_url="https://github.com/dfinity/internet-identity/releases/download/$release/$asset_name.sha256"
+
+              fe_init_arg=$(frontend_init_arg)
+              init_guide="Provide backend_canister_id and backend_origin matching your II backend deployment. Set related_origins to contain the frontend canister's local origin, e.g., \"http://uqzsh-gqaaa-aaaaq-qaada-cai.localhost:4943\". Set dev_csp = opt true for local development over HTTP."
+              metadata_json=$(echo '{}' | jq -cMr \
+                  --arg wasm_url "$wasm_url" \
+                  --arg wasm_hash_url "$wasm_hash_url" \
+                  --arg init_arg "$fe_init_arg" \
+                  --arg init_guide "$init_guide" \
+                  '. | .pullable = { wasm_url: $wasm_url, wasm_hash_url: $wasm_hash_url, dependencies: ["rdmx6-jaaaa-aaaaa-aaadq-cai"], init_arg: $init_arg, init_guide: $init_guide} ')
+              ic-wasm "$canister.wasm" -o "$canister.wasm" metadata dfx -d "$metadata_json" -v public
+          fi
+
         fi
         gzip --best --no-name --force "$canister.wasm"
     fi
diff --git a/src/internet_identity_frontend/src/main.rs b/src/internet_identity_frontend/src/main.rs
@@ -273,6 +273,13 @@ fn get_asset_headers(
 ///   Allow fonts only from same origin
 ///
 /// frame-ancestors 'self' <related_origins...>:
+/// connect-src:
+///   In production, `connect-src 'self' https:` allows connections to the same origin
+///   and to HTTPS endpoints only. When `dev_csp` is enabled (development mode),
+///   `http:` is also allowed (`connect-src 'self' https: http:`) to support local
+///   development. Allowing `http:` weakens transport security and must not be used
+///   in production.
+///
 ///   Control embedding - allow same origin and configured related origins
 ///
 /// frame-src 'self' <related_origins...>:
@@ -461,7 +468,8 @@ candid::export_service!();
 fn main() {}
 
 #[cfg(test)]
-mod test {
+mod tests {
+    use super::get_content_security_policy;
     use crate::__export_service;
     use candid_parser::utils::{service_equal, CandidSource};
     use std::path::Path;
@@ -479,4 +487,35 @@ mod test {
             panic!("the canister code interface is not equal to the did file: {e:?}")
         });
     }
+
+    #[test]
+    fn csp_differs_between_dev_and_prod_for_connect_src_and_upgrade_insecure_requests() {
+        // Dev CSP: allow http: in connect-src and omit upgrade-insecure-requests
+        let dev_csp = get_content_security_policy(Vec::new(), None, true);
+
+        assert!(
+            dev_csp.contains("connect-src 'self' https: http:"),
+            "dev CSP should allow http: in connect-src, got: {dev_csp}"
+        );
+        assert!(
+            !dev_csp.contains("upgrade-insecure-requests;"),
+            "dev CSP should not include upgrade-insecure-requests, got: {dev_csp}"
+        );
+
+        // Prod CSP: disallow http: in connect-src and include upgrade-insecure-requests
+        let prod_csp = get_content_security_policy(Vec::new(), None, false);
+
+        assert!(
+            prod_csp.contains("connect-src 'self' https:"),
+            "prod CSP should allow https: in connect-src, got: {prod_csp}"
+        );
+        assert!(
+            !prod_csp.contains("connect-src 'self' https: http:"),
+            "prod CSP should not allow http: in connect-src, got: {prod_csp}"
+        );
+        assert!(
+            prod_csp.contains("upgrade-insecure-requests;"),
+            "prod CSP should include upgrade-insecure-requests, got: {prod_csp}"
+        );
+    }
 }
