diff --git a/CHANGELOG.md b/CHANGELOG.md index bc73a261c4..cc7e266048 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ # UNRELEASED +### fix: allow `http://localhost:*` as `connect-src` in the asset canister's CSP + +This will enable browsing the asset canister at `http://.localhost:` in most browsers. + ### fix: frontend code crashing when there is no canister ID ### feat: `dfx ledger top-up` also accepts canister names diff --git a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 index ccdea94aa1..b58d2e1fc6 100644 --- a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 +++ b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/assets/.ic-assets.json5 @@ -24,7 +24,7 @@ // See: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md. // - We added img-src data: because data: images are used often. // - frame-ancestors: none mitigates clickjacking attacks. See https://owasp.org/www-community/attacks/Clickjacking. - "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", + "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", // Security: The permissions policy disables all features for security reasons. If your site needs such permissions, activate them. // To configure permissions go here https://www.permissionspolicy.com/ diff --git a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 index ccdea94aa1..b58d2e1fc6 100644 --- a/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 +++ b/src/dfx/assets/new_project_node_files/src/__project_name___frontend/src/.ic-assets.json5 @@ -24,7 +24,7 @@ // See: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md. // - We added img-src data: because data: images are used often. // - frame-ancestors: none mitigates clickjacking attacks. See https://owasp.org/www-community/attacks/Clickjacking. - "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", + "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;", // Security: The permissions policy disables all features for security reasons. If your site needs such permissions, activate them. // To configure permissions go here https://www.permissionspolicy.com/