Potential Redirect Issue with "allow_raw_access: false" in .ic-assets.json5

pixld8ta · April 2, 2025, 3:45pm

Deploying the asset canister with the setting “allow_raw_access: false” does not produce the desired result: the browser does not redirect from the URL “https://canisterId.raw.icp0.io” to “https://canisterId.icp0.io”.

This used to work a couple of months ago.

The .ic-assets.json5 file contains custom headers, and they are being sent to the browser — which means the file is being processed.

Is this a temporary issue?

@peterparker @Severin Could you please tag someone who might be able to help? Thanks

peterparker · April 3, 2025, 2:04pm

So, I don’t know the answer - that’s why I didn’t reply earlier - since I don’t use DFX myself. In Juno, there is an option for raw, but it’s intentionally undocumented because I believe it’s an insecure and bad practice to use it.

The best person to answer your question is Severin, whom you already tagged. I think he’s out of the office today, but he’ll probably see the notification next time he’s around. If you don’t get an answer after few days, feel free to resurface the question.

pixld8ta · April 3, 2025, 6:36pm

Thanks for the reply.

Yes, I do want the “raw” version to be inaccessible, but for some reason, after deploying the new canister, the redirect doesn’t work.

I’ll be waiting for a response from Severin.

Severin · April 4, 2025, 8:57am

Is this a fresh deployment or did you update an existing deployment? dfx sometimes has issues updating metadata like headers or this setting. If you tried to update an existing deployment, would you mind trying to upgrade the canister with --mode reinstall?

pixld8ta · April 4, 2025, 7:16pm

This canister was created by the code from another canister one week ago. Then I uninstalled this canister using “dfx”. Then deployed asset canister using “dfx deploy…”

FYI: adding new custom header to .ic-assets.json5 file and redeploying - takes effect - browser immediately receives new header.

pixld8ta · April 7, 2025, 6:27am

Reinstalled with --mode reinstall - still getting Status 200 (not redirect) for “raw” url

alexeychirkov · April 8, 2025, 6:02am

Dear @Severin - any ideas?

Severin · April 8, 2025, 8:15am

Sorry, got overwhelmed by my todo list. I would like to narrow the issue down if the problem is with updating the setting, or with doing the redirect.

If you call get_asset_properties with argument ("<path to a file>") on the asset canister, what does it report for allow_raw_access (maybe displayed as 3_021_287_825)? Is it null, or what does the setting say?

pixld8ta · April 8, 2025, 8:52am

Calling dfx canister --network ic_test call CANISTER_ID get_asset_properties '("/index.html")' - output is:

(
  record {
    headers = opt vec {
      record {
        "Strict-Transport-Security";
        "max-age=31536000; includeSubDomains";
      };
      record { "X-XSS-Protection"; "1; mode=block" };
      record { "Referrer-Policy"; "same-origin" };
      record {
        "Content-Security-Policy";
        "default-src \'self\';script-src \'self\';connect-src \'self\' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src \'self\' data:;style-src * \'unsafe-inline\';style-src-elem * \'unsafe-inline\';font-src *;object-src \'none\';base-uri \'self\';frame-ancestors \'none\';form-action \'self\';upgrade-insecure-requests;";
      };
      record { "X-Content-Type-Options"; "nosniff" };
      record { "X-Frame-Options"; "DENY" };
      record {
        "Permissions-Policy";
        "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()";
      };
    };
    is_aliased = null;
    allow_raw_access = opt false;
    max_age = null;
  },
)

Content of .ic-assets.json file:

[
  {
    "match": "**/*",
    "security_policy": "standard",
    "allow_raw_access": false
  },
  {
    "match": ".well-known",
    "ignore": false
  },
  {
    "match": ".well-known/ii-alternative-origins",
    "headers": {
      "Access-Control-Allow-Origin": "*",
      "Content-Type": "application/json"
    },
    "ignore": false
  }
]

Severin · April 8, 2025, 12:02pm

Well… I’m pretty stumped on this one. allow_raw_access = opt false; in the output of get_asset_properties means that the setting is applied correctly. Given this logic, if the setting is correct and the request is recognized as coming from raw then redirection should happen. Nothing about the logic to detect raw has changed. I just asked internally and the Host header gets passed correctly (EDIT: nevermind, probably not). We have tests that verify that redirection works.

What URL do you use to make the raw request? Would you mind sharing the full link? DM is fine too.

Severin · April 8, 2025, 12:27pm

Apparently the Host header (which the asset canister relies on for detecting if the request is coming from .raw) is only passed in HTTP1 requests, but not HTTP2. So under HTTP2 canisters have no way to figure out if a request is coming from raw or not. The boundary node team will discuss options and I will do my best to think of reporting back here.

pixld8ta · April 23, 2025, 7:19am

Hello @Severin
Any news regarding HTTP2 requests?
Thanks

Severin · April 23, 2025, 9:20am

Thanks for the ping, I heard that a workaround is implemented and deployed on the boundary nodes. It should work again.

pixld8ta · April 23, 2025, 9:53am

Still does not work.

My canister is on a subnet opn46-zyspe-hhmyp-4zu6u-7sbrh-dok77-m7dch-im62f-vyimr-a3n2c-4ae.

(
  record {
    headers = opt vec {
      record { "Referrer-Policy"; "same-origin" };
      record { "X-Content-Type-Options"; "nosniff" };
      record {
        "Content-Security-Policy";
        "default-src \'self\';script-src \'self\';connect-src \'self\' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src \'self\' data:;style-src * \'unsafe-inline\';style-src-elem * \'unsafe-inline\';font-src *;object-src \'none\';base-uri \'self\';frame-ancestors \'none\';form-action \'self\';upgrade-insecure-requests;";
      };
      record {
        "Permissions-Policy";
        "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()";
      };
      record { "X-XSS-Protection"; "1; mode=block" };
      record { "Cache-Control"; "no-cache" };
      record { "X-Frame-Options"; "DENY" };
      record {
        "Strict-Transport-Security";
        "max-age=31536000; includeSubDomains";
      };
    };
    is_aliased = null;
    allow_raw_access = opt false;
    max_age = null;
  },
)

Also OpenChat https://6hsbt-vqaaa-aaaaf-aaafq-cai.raw.icp0.io/ has no redirect.

pixld8ta · April 25, 2025, 7:59am

Hi @Severin, just checking in — have there been any updates regarding the issue?

It’s still not working on my end. OpenChat https://6hsbt-vqaaa-aaaaf-aaafq-cai.raw.icp0.io/ also still lacks a redirect.

Would appreciate any news when you have a moment. Thanks!

Severin · April 25, 2025, 8:07am

Someone on the boundary node team wanted to investigate again but was probably distracted. I’ll ping them again

rbirkner · April 25, 2025, 9:53am

Hey @pixld8ta

sorry for the late reply. We have added a fix to the HTTP gateway to inject the host header in case it is missing (this is the case for HTTP2 as it doesn’t use the host header, but the authority). I made a local test with the following two commands:

$ curl -sLv -X GET \
    --resolve oa7fk-maaaa-aaaam-abgka-cai.ic0.app:443:212.71.124.186 \
    https://oa7fk-maaaa-aaaam-abgka-cai.ic0.app/
    
$ curl -sLv --http2 -X GET \
    --resolve oa7fk-maaaa-aaaam-abgka-cai.ic0.app:443:212.71.124.186 \
    https://oa7fk-maaaa-aaaam-abgka-cai.ic0.app/

How do you test it?

Topic		Replies	Views
Is there is a way to deploy asset canister without redirecting from raw.ic0.app to ic0.app? Developers	0	359	October 6, 2022
Up to date documentation - dfx - asset canister redirect urls Developers Documentation	1	38	November 14, 2024
Dfx 0.13.1 is promoted with breaking changes Developers	25	1615	May 24, 2023
How to config image URLs to work the same as .raw. version? Developers	23	995	May 21, 2023
Custom asset canister does not provide files as raw Developers	17	908	November 29, 2023

Potential Redirect Issue with "allow_raw_access: false" in .ic-assets.json5

Related topics