TLDR: upgrade to agent-js 0.19.2 and redeploy your canisters to resolve an issue that has been affecting some IC dapps when using some versions of Chrome.
Some users were receiving a 502 response when attempting to access a canister through their Chrome browsers. This was due to an invalid signature verification from a
A particular version of Chrome (we tested against
Version 115.0.5790.102 ) is somehow incorrectly executing the JS SHA-256 implementation used to create request IDs. Our best guess is that it is JIT related because the values are correct for a while.
Once the SHA-256 implementation ends up in a bad state it seems at least consistently wrong - all of the outputs are incorrect, and repeated calls for the same input produce the same incorrect hash. So in principle this could be detected at runtime by hashing some fixed string and comparing it against the known good output.
We have changed the hashing library that agent-js uses to generate SHA-256 hashes to the @noble/hashes library as a stop-gap solution.
Moving forward, we will migrate to native
node crypto, but this will take time since they would transform all of our hash calls into promises and require significant refactoring.
A new agent-js version has been released with a different hashing library. Please update your projects and redeploy so that any users using an affected version of Chrome do not experience down time.
If you are also experiencing issues with the content security policy not recognizing the icp-api.io domain (something along the lines of
Refused to connect to https://icp-api.io/api/v2/canister/xxxx because it violates the following Content Security Policy directive... you can either:
- edit your
ic-assets.jsonfile manually to include the icp-api domain in the CSP. It should look like this
"Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;"
- install dfx version 0.14.4 (will be released week of Aug 28) and redeploy your canister. the icp-api domain will be added to the CSP by default.