Upgrade agent-js to resolve a Chrome issue

TLDR: upgrade to agent-js 0.19.2 and redeploy your canisters to resolve an issue that has been affecting some IC dapps when using some versions of Chrome.


Some users were receiving a 502 response when attempting to access a canister through their Chrome browsers. This was due to an invalid signature verification from a read_state call.


A particular version of Chrome (we tested against Version 115.0.5790.102 ) is somehow incorrectly executing the JS SHA-256 implementation used to create request IDs. Our best guess is that it is JIT related because the values are correct for a while.

Once the SHA-256 implementation ends up in a bad state it seems at least consistently wrong - all of the outputs are incorrect, and repeated calls for the same input produce the same incorrect hash. So in principle this could be detected at runtime by hashing some fixed string and comparing it against the known good output.


We have changed the hashing library that agent-js uses to generate SHA-256 hashes to the @noble/hashes library as a stop-gap solution.

Moving forward, we will migrate to native WebCrypto and node crypto, but this will take time since they would transform all of our hash calls into promises and require significant refactoring.

A new agent-js version has been released with a different hashing library. Please update your projects and redeploy so that any users using an affected version of Chrome do not experience down time.

Many thanks.


If you are also experiencing issues with the content security policy not recognizing the icp-api.io domain (something along the lines of Refused to connect to https://icp-api.io/api/v2/canister/xxxx because it violates the following Content Security Policy directive... you can either:

  1. edit your ic-assets.json file manually to include the icp-api domain in the CSP. It should look like this
"Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;"
  1. install dfx version 0.14.4 (will be released week of Aug 28) and redeploy your canister. the icp-api domain will be added to the CSP by default.

This is all accurate, with the caveat that the refactor to WebCrypto may not be worth it since we still need the @noble/hashes library for sha224 hashes in Principal encoding and decoding, and switching to Promise based hashing would be a breaking change for a substantial number of API’s


Hey thanks for the update, it seems we need dfx 0.14.4 to fix this? So we are just waiting for the new dfx version and we can deploy the changes to our canisters?

DFX isn’t required. You can edit your package.json or run npm upgrade @dfinity/agent to update your frontend code and get the latest patch at any time

1 Like

Awesome, thanks @kpeacock!

Hey all, we’ve updated to the recommended specs and the “page failed to load error” has mostly gone away. We have noticed the issue persists for urls with different language chars:

For example this url has 无论美联储是否加息btc仍将回到7万刀 in it and does not work while this url works.

I also notice I can navigate through the UI in some cases, but as soon as I refresh the page the error returns.

Not entirely sure but, this looks like a similiar issue to the one I faced recently (it’s not related to agent-js) and which should be solved by a fix in the Boundary Nodes. Not sure if the fix is already in prod or scheduled to be deployed though but, the fix exists (if same issue).

@rbirkner @Kepler the “url decoding for encoded query strings” has be deployed?

This is unfortunately an additional edge case that we have not catered for, I’m looking for a solution now. Thanks for reporting @Mitch

1 Like

Sounds good, thanks for looking into it @peterparker / @NathanosDev

1 Like

A fix is done and has started moving through the pipeline, I’ll update you once we’re releasing this.