The DFX asset canister has a configuration option allow_raw_access but, I cannot find any specification about it.
Where’s that feature documented and how can any canister prevent access through .raw.?
1 Like
I had a look at the source code of the DFX asset canister, given that I did not find any documentation.
Correct me if I’m wrong, but the canister seems to detect if it’s accessed via a .raw. URL and, if so, issues a permanent redirect.
If my understanding is correct, then here are my specific questions:
-
The canister appears to identify
.raw.icwith aHostheader. I assume that this header is forwarded by the Boundary Nodes. Where are these particular headers and their values specified? -
Does the permanent redirect response need to be certified, or given the parituclar use case, is the certification unnecessary since it’s queried on
.raw.and redirect on.raw.as well?
We resolved my questions with few of my colleagues.
Where are these particular headers and their values specified?
There is no particular list because the boundary nodes do not strip any HTTP headers. This was my incorrect assumption.
Therefore, it is safe to prevent access to .raw. by reading the value of the Host header, for example by redirecting if it contains such a prefix. This is what I implemented in this PR.
It unblocks me, but I’ll probably revisit this subject someday because preventing access to .raw should probably not be a concern of any canister code, in my opinion. I rather tend to think that .raw should be generally disabled for security reasons and maybe, made an opt-in feature on the boundary nodes level.
Does the permanent redirect response need to be certified
It doesn’t need to be certified since it’s on raw.
1 Like