the overall workflow is.
-
For raw URL xxxx.raw.ic0.app
the flow bypasses the service worker so there is NO content signature verification. -
For the non-raw URL xxxx.ic0.app
this call goes through the service worker that performs the verification after downloading the complete asset. the service worker keeps aside memory to download the asset, if this memory is not enough to store the complete asset (as in your case) the verification bails out.
Do you really need the asset verification, can this requirement be relaxed ? If so then, a workaround would be to fetch via the raw endpoint. Of course, this is a temporary workaround. Once streaming is implemented you can switch back to using the service worker (aka non-raw endpoint)