Change feature II_INSECURE_REQUESTS to II_DEV_CSP and allow connections to localhost (#2342)

Frederik Rothenberger · web-flow · commit c4671aa17a5e · 2024-03-07T16:20:55.000Z
This PR removes the feature II_INSECURE_REQUESTS in favour of a more
general II_DEV_CSP feature. That more general feature now allows II
to connect to localhost and its subdomains on both http and https, which
is useful when developing an issuer and using the II dev build to test
the integration.
diff --git a/.github/workflows/canister-tests.yml b/.github/workflows/canister-tests.yml
@@ -50,23 +50,23 @@ jobs:
             II_FETCH_ROOT_KEY: 0
             II_DUMMY_CAPTCHA: 0
             II_DUMMY_AUTH: 0
-            II_INSECURE_REQUESTS: 0
+            II_DEV_CSP: 0
 
           # No captcha and fetching the root key, used in (our) tests, backend and
           # e2e.
           - name: internet_identity_test.wasm.gz
             II_FETCH_ROOT_KEY: 1
             II_DUMMY_CAPTCHA: 1
             II_DUMMY_AUTH: 0
-            II_INSECURE_REQUESTS: 0
+            II_DEV_CSP: 0
 
           # Everything disabled, used by third party developers who only care
           # about the login flow
           - name: internet_identity_dev.wasm.gz
             II_FETCH_ROOT_KEY: 1
             II_DUMMY_CAPTCHA: 1
             II_DUMMY_AUTH: 1
-            II_INSECURE_REQUESTS: 1
+            II_DEV_CSP: 1
 
     steps:
       - uses: actions/checkout@v4
@@ -90,7 +90,7 @@ jobs:
             II_FETCH_ROOT_KEY=${{ matrix.II_FETCH_ROOT_KEY }}
             II_DUMMY_AUTH=${{ matrix.II_DUMMY_AUTH }}
             II_DUMMY_CAPTCHA=${{ matrix.II_DUMMY_CAPTCHA }}
-            II_INSECURE_REQUESTS=${{ matrix.II_INSECURE_REQUESTS }}
+            II_DEV_CSP=${{ matrix.II_DEV_CSP }}
             II_VERSION=${{ steps.version.outputs.version }}
           cache-from: type=gha,scope=cached-stage
           # Exports the artefacts from the final stage
@@ -860,7 +860,7 @@ jobs:
           II_FETCH_ROOT_KEY: 1
           II_DUMMY_CAPTCHA: 1
           II_DUMMY_AUTH: 0
-          II_INSECURE_REQUESTS: 0
+          II_DEV_CSP: 0
         run: ./scripts/build
 
       - run: mv internet_identity.wasm.gz internet_identity_test.wasm.gz
diff --git a/Dockerfile b/Dockerfile
@@ -88,7 +88,7 @@ ARG II_VERSION=
 ARG II_FETCH_ROOT_KEY=
 ARG II_DUMMY_CAPTCHA=
 ARG II_DUMMY_AUTH=
-ARG II_INSECURE_REQUESTS=
+ARG II_DEV_CSP=
 
 RUN touch src/*/src/lib.rs
 RUN npm ci
diff --git a/README.md b/README.md
@@ -140,7 +140,7 @@ frontend. -->
 | `II_FETCH_ROOT_KEY` | When enabled, this instructs the frontend code to fetch the "root key" from the replica.<br/>The Internet Computer (https://ic0.app) uses a private key to sign responses. This private key not being available locally, the (local) replica generates its own. This option effectively tells the Internet Identity frontend to fetch the public key from the replica it connects to. When this option is _not_ enabled, the Internet Identity frontend code will use the (hard coded) public key of the Internet Computer. |
 | `II_DUMMY_CAPTCHA` | When enabled, the CAPTCHA challenge (sent by the canister code to the frontend code) is always the known string `"a"`. This is useful for automated testing. |
 | `II_DUMMY_AUTH` | When enabled, the frontend code will use a known, stable private key for registering anchors and authenticating. This means that all anchors will have the same public key(s). In particular this bypasses the WebAuthn flows (TouchID, Windows Hello, etc), which simplifies automated testing. |
-| `II_INSECURE_REQUESTS` | When enabled, the 'upgrade-insecure-requests' directive is removed from the content security policy in order to allow local development with Safari. |
+| `II_DEV_CSP` | When enabled, the content security policy is weakend to allow connections to II using HTTP and allow II to connect to localhost (and subdomains) in order to facilitate local development. |
 
 ### Flavors
 
@@ -150,7 +150,7 @@ We offer some pre-built Wasm modules that contain flavors, i.e. sets of features
 | --- | --- | :---: |
 | Production | This is the production build deployed to https://identity.ic0.app. Includes none of the build features. | [💾](https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_production.wasm.gz) |
 | Test | This flavor is used by Internet Identity's test suite. It fully supports authentication but uses a known CAPTCHA value for test automation. Includes the following features: <br><ul><li><code>II_FETCH_ROOT_KEY</code></li><li><code>II_DUMMY_CAPTCHA</code></li></ul>| [💾](https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_test.wasm.gz) |
-| Development | This flavor contains a version of Internet Identity that effectively performs no checks. It can be useful for external developers who want to integrate Internet Identity in their project and care about the general Internet Identity authentication flow, without wanting to deal with authentication and, in particular, WebAuthentication. Includes the following features: <br><ul><li><code>II_FETCH_ROOT_KEY</code></li><li><code>II_DUMMY_CAPTCHA</code></li><li><code>II_DUMMY_AUTH</code></li><li><code>II_INSECURE_REQUESTS</code></li></ul><br>See the [`using-dev-build`](demos/using-dev-build/README.md) project for an example on how to use this flavor.| [💾](https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz) |
+| Development | This flavor contains a version of Internet Identity that effectively performs no checks. It can be useful for external developers who want to integrate Internet Identity in their project and care about the general Internet Identity authentication flow, without wanting to deal with authentication and, in particular, WebAuthentication. Includes the following features: <br><ul><li><code>II_FETCH_ROOT_KEY</code></li><li><code>II_DUMMY_CAPTCHA</code></li><li><code>II_DUMMY_AUTH</code></li><li><code>II_DEV_CSP</code></li></ul><br>See the [`using-dev-build`](demos/using-dev-build/README.md) project for an example on how to use this flavor.| [💾](https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz) |
 
 ## Stable Memory Compatibility
 
diff --git a/scripts/build b/scripts/build
@@ -199,13 +199,12 @@ function build_internet_identity() {
       echo "USING DUMMY CAPTCHA"
       extra_build_args+=( --features dummy_captcha )
   fi
-  # This enables the "insecure_requests" feature which disables the content security policy directive
-  # 'upgrade-insecure-requests'.
+  # This enables the "dev_csp" feature which weakens the content security policy to facilitate local development.
   # WARNING: this MUST be opt-in, because we DO NOT want this in production.
-  if [ "${II_INSECURE_REQUESTS:-}" == "1" ]
+  if [ "${II_DEV_CSP:-}" == "1" ]
   then
-      echo "ALLOWING INSECURE REQUESTS"
-      extra_build_args+=( --features insecure_requests )
+      echo "USING DEV CONTENT SECURITY POLICY"
+      extra_build_args+=( --features dev_csp )
   fi
   # XXX: for bash > 4.4, empty arrays are considered unset, so do some substitution
   build_canister "internet_identity" ${extra_build_args[@]+"${extra_build_args[@]}"}
diff --git a/scripts/docker-build b/scripts/docker-build
@@ -27,7 +27,7 @@ Environment:
   II_FETCH_ROOT_KEY     When set to "1", enable the "II_FETCH_ROOT_KEY" feature.
   II_DUMMY_CAPTCHA      When set to "1", enable the "II_DUMMY_CAPTCHA" feature.
   II_DUMMY_AUTH         When set to "1", enable the "II_DUMMY_AUTH" feature.
-  II_INSECURE_REQUESTS  When set to "1", enable the "II_INSECURE_REQUESTS" feature.
+  II_DEV_CSP            When set to "1", enable the "II_DEV_CSP" feature.
 EOF
 }
 
@@ -70,7 +70,7 @@ function build() {
     check_feature "fetchrootkey" "II_FETCH_ROOT_KEY"
     check_feature "dummycaptcha" "II_DUMMY_CAPTCHA"
     check_feature "dummyauth" "II_DUMMY_AUTH"
-    check_feature "insecurerequests" "II_INSECURE_REQUESTS"
+    check_feature "devcsp" "II_DEV_CSP"
 
     docker_build_args+=(--tag "$image_name" .)
 
diff --git a/src/internet_identity/Cargo.toml b/src/internet_identity/Cargo.toml
@@ -59,6 +59,8 @@ ic-response-verification.workspace = true
 # the dummy_captcha feature which ensures the captcha string is always "a"
 # (needed for tests)
 dummy_captcha = []
-# the insecure requests disables removes the 'upgrade-insecure-requests' directive from the CSP in oder to allow local
-# development with Safari.
-insecure_requests = []
+# The dev_csp feature weakens the CSP in oder to facilitate development with a locally deployed II instance.
+# In particular, this allows
+# * accessing II using http instead of https
+# * II to connect to localhost both on http and https, which is useful when developint a vc issuer
+dev_csp = []
diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs
@@ -181,9 +181,14 @@ fn content_security_policy_header(integrity_hashes: Vec<String>) -> String {
         )
     };
 
+    let connect_src = "'self' https://identity.internetcomputer.org https://icp-api.io https://*.icp0.io https://*.ic0.app";
+
+    // Allow connecting to localhost, including subdomains, on http and https for local development purposes
+    #[cfg(feature = "dev_csp")]
+        let connect_src = format!("{connect_src} http://localhost:* http://*.localhost:* https://localhost:* https://*.localhost:*");
     let csp = format!(
         "default-src 'none';\
-         connect-src 'self' https://identity.internetcomputer.org https://icp-api.io https://*.icp0.io https://*.ic0.app;\
+         connect-src {connect_src};\
          img-src 'self' data:;\
          script-src {strict_dynamic} 'unsafe-inline' 'unsafe-eval' https:;\
          base-uri 'none';\
@@ -193,7 +198,8 @@ fn content_security_policy_header(integrity_hashes: Vec<String>) -> String {
          font-src 'self';\
          frame-ancestors 'none';"
     );
-    #[cfg(not(feature = "insecure_requests"))]
+    // for the dev build skip upgrading all connections to II to https
+    #[cfg(not(feature = "dev_csp"))]
     let csp = format!("{csp}upgrade-insecure-requests;");
     csp
 }
