Skip to content

Commit 3fe0239

Browse files
atergaclaudeCopilot
authored
feat: Make internet_identity_frontend a pullable DFX dependency (#3685)
# Make `internet_identity_frontend` a pullable dependency Add `candid:args` and `dfx` pullable metadata to the frontend canister build (matching the existing backend pattern), with `internet_identity` declared as a dependency. Includes a `frontend_init_arg()` helper with local dev defaults. < [Previous PR](#3683) | --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
1 parent 6f3a747 commit 3fe0239

File tree

2 files changed

+76
-1
lines changed

2 files changed

+76
-1
lines changed

scripts/build

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,15 @@ EOF
118118
printf '%s\n' "$init_arg"
119119
}
120120

121+
frontend_init_arg() {
122+
local init_arg
123+
init_arg=$(cat <<'EOF'
124+
(record { fetch_root_key = opt true; backend_canister_id = principal "rdmx6-jaaaa-aaaaa-aaadq-cai"; related_origins = opt vec { "http://uqzsh-gqaaa-aaaaq-qaada-cai.localhost:4943" }; backend_origin = "http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:4943"; dev_csp = opt true})
125+
EOF
126+
)
127+
printf '%s\n' "$init_arg"
128+
}
129+
121130
# Builds a single canister
122131
# build_canister CANISTER EXTRA_BUILD_ARGS...
123132
# CANISTER: possible values: [internet_identity, archive]
@@ -194,6 +203,33 @@ function build_canister() {
194203
ic-wasm "$canister.wasm" -o "$canister.wasm" metadata dfx -d "$metadata_json" -v public
195204
fi
196205

206+
fi
207+
208+
if [ "$canister" == "internet_identity_frontend" ]
209+
then
210+
# indicate the frontend canister init argument type
211+
ic-wasm "$canister.wasm" -o "$canister.wasm" metadata candid:args -d "(InternetIdentityFrontendInit)" -v public
212+
213+
# Write pullable metadata for dfx.
214+
IFS=, read -r -a version_parts <<< "$II_VERSION"
215+
release="${version_parts[1]}"
216+
if [ -n "$release" ]
217+
then
218+
asset_name="internet_identity_frontend.wasm.gz"
219+
wasm_url="https://github.com/dfinity/internet-identity/releases/download/$release/$asset_name"
220+
wasm_hash_url="https://github.com/dfinity/internet-identity/releases/download/$release/$asset_name.sha256"
221+
222+
fe_init_arg=$(frontend_init_arg)
223+
init_guide="Provide backend_canister_id and backend_origin matching your II backend deployment. Set related_origins to contain the frontend canister's local origin, e.g., \"http://uqzsh-gqaaa-aaaaq-qaada-cai.localhost:4943\". Set dev_csp = opt true for local development over HTTP."
224+
metadata_json=$(echo '{}' | jq -cMr \
225+
--arg wasm_url "$wasm_url" \
226+
--arg wasm_hash_url "$wasm_hash_url" \
227+
--arg init_arg "$fe_init_arg" \
228+
--arg init_guide "$init_guide" \
229+
'. | .pullable = { wasm_url: $wasm_url, wasm_hash_url: $wasm_hash_url, dependencies: ["rdmx6-jaaaa-aaaaa-aaadq-cai"], init_arg: $init_arg, init_guide: $init_guide} ')
230+
ic-wasm "$canister.wasm" -o "$canister.wasm" metadata dfx -d "$metadata_json" -v public
231+
fi
232+
197233
fi
198234
gzip --best --no-name --force "$canister.wasm"
199235
fi

src/internet_identity_frontend/src/main.rs

Lines changed: 40 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -273,6 +273,13 @@ fn get_asset_headers(
273273
/// Allow fonts only from same origin
274274
///
275275
/// frame-ancestors 'self' <related_origins...>:
276+
/// connect-src:
277+
/// In production, `connect-src 'self' https:` allows connections to the same origin
278+
/// and to HTTPS endpoints only. When `dev_csp` is enabled (development mode),
279+
/// `http:` is also allowed (`connect-src 'self' https: http:`) to support local
280+
/// development. Allowing `http:` weakens transport security and must not be used
281+
/// in production.
282+
///
276283
/// Control embedding - allow same origin and configured related origins
277284
///
278285
/// frame-src 'self' <related_origins...>:
@@ -461,7 +468,8 @@ candid::export_service!();
461468
fn main() {}
462469

463470
#[cfg(test)]
464-
mod test {
471+
mod tests {
472+
use super::get_content_security_policy;
465473
use crate::__export_service;
466474
use candid_parser::utils::{service_equal, CandidSource};
467475
use std::path::Path;
@@ -479,4 +487,35 @@ mod test {
479487
panic!("the canister code interface is not equal to the did file: {e:?}")
480488
});
481489
}
490+
491+
#[test]
492+
fn csp_differs_between_dev_and_prod_for_connect_src_and_upgrade_insecure_requests() {
493+
// Dev CSP: allow http: in connect-src and omit upgrade-insecure-requests
494+
let dev_csp = get_content_security_policy(Vec::new(), None, true);
495+
496+
assert!(
497+
dev_csp.contains("connect-src 'self' https: http:"),
498+
"dev CSP should allow http: in connect-src, got: {dev_csp}"
499+
);
500+
assert!(
501+
!dev_csp.contains("upgrade-insecure-requests;"),
502+
"dev CSP should not include upgrade-insecure-requests, got: {dev_csp}"
503+
);
504+
505+
// Prod CSP: disallow http: in connect-src and include upgrade-insecure-requests
506+
let prod_csp = get_content_security_policy(Vec::new(), None, false);
507+
508+
assert!(
509+
prod_csp.contains("connect-src 'self' https:"),
510+
"prod CSP should allow https: in connect-src, got: {prod_csp}"
511+
);
512+
assert!(
513+
!prod_csp.contains("connect-src 'self' https: http:"),
514+
"prod CSP should not allow http: in connect-src, got: {prod_csp}"
515+
);
516+
assert!(
517+
prod_csp.contains("upgrade-insecure-requests;"),
518+
"prod CSP should include upgrade-insecure-requests, got: {prod_csp}"
519+
);
520+
}
482521
}

0 commit comments

Comments
 (0)