Enable II on identity.internetcomputer.org (#1239)

* Enable II on identity.internetcomputer.org

This updates the CSP rules to allow II to be served on
`https://identity.internetcomputer.org` in addition to
`https://identity.ic0.app`.

Note that the code now refers to
`https://identity.internetcomputer.org`. The test infrastructure is
also updated.

* 🤖 Selenium screenshots auto-update

* Refer to legacy URL in instructions

* 🤖 Selenium screenshots auto-update

* Reset screenshots

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

docker-test-env/README.md

@@ -6,7 +6,7 @@ Docker compose setup to run selenium tests with. The setup consists of the follo
   * Forwards requests to the test app to `dfx` running on host.
   * Forwards requests to the internet identity to the dev server running on host.
   * Translates domains `<canister_id>.ic0.app` to the corresponding `<canister_id>.localhost` domains.
-  * Translates mapped domains (i.e. `identity.ic0.app`) to the corresponding `<canister_id>.localhost` domain.
+  * Translates mapped domains (i.e. `identity.internetcomputer.org`) to the corresponding `<canister_id>.localhost` domain.
 * selenium container
   * Runs chromium browser.
   * Connects to nginx to access pages of the canister hosted on `dfx` or the dev server

docker-test-env/docker-compose.yml

@@ -15,7 +15,7 @@ services:
         aliases:
           - ic0.app
           # internet identity
-          - identity.ic0.app
+          - identity.internetcomputer.org
           # test app, TEST_APP_CANISTER_ID is substituted by the start-selenium-env script
           - TEST_APP_CANISTER_ID.ic0.app
           - nice-name.com

docker-test-env/reverse_proxy/certs/identity.internetcomputer.org.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF0DCCA7gCCQD3Bvuesq9jyzANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
+Y2gxDzANBgNVBAgMBlp1cmljaDEPMA0GA1UEBwwGWnVyaWNoMRAwDgYDVQQKDAdE
+RklOSVRZMQwwCgYDVQQLDANHSVgxJjAkBgNVBAMMHWlkZW50aXR5LmludGVybmV0
+Y29tcHV0ZXIub3JnMTAwLgYJKoZIhvcNAQkBFiFmcmVkZXJpay5yb3RoZW5iZXJn
+ZXJAZGZpbml0eS5vcmcwHhcNMjMwMjE2MTQwMzUxWhcNMjQwMjE2MTQwMzUxWjCB
+qTELMAkGA1UEBhMCY2gxDzANBgNVBAgMBlp1cmljaDEPMA0GA1UEBwwGWnVyaWNo
+MRAwDgYDVQQKDAdERklOSVRZMQwwCgYDVQQLDANHSVgxJjAkBgNVBAMMHWlkZW50
+aXR5LmludGVybmV0Y29tcHV0ZXIub3JnMTAwLgYJKoZIhvcNAQkBFiFmcmVkZXJp
+ay5yb3RoZW5iZXJnZXJAZGZpbml0eS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQCUHwx3GNu1Wa/6iTeQcaFpnwaEUNHc4Rld3+vj9eA33+oXdO/V
+oVdoCUVFyB3GJur+lawJp64yJeahXnLlNaIszbFszXYsEWwL73s9c8hCRF90bhhG
+6iB427eCbTdaXIWlKtmj1vSgve6YVMT7/jFFOEGt2i0hRbezULfQJXyqUKZM1isP
+ek1PPqWaQ85lGxN+Jcb/Se+3lOW5sgH3iyJ4qpS/+eQekuTN7XbuUs9aMf+8RV2k
+ss0SgGjyR6yFnPvVRux0mFHba5Er9kIw6N4XPVFU9Z1uqM2hkFZCKtoU4r50lJiB
+uAbqWVsLrwVlRHEOXYW5pkvar2TUEhzVl4yarysWvvC3G+EGDY19Q+eEyCPZEdlC
+Lv8XA3ZOBf4mBrPDlqfIHfMBypWjH/OAsMmtnUFYyZb48Z70DBtirjX2yUeZkmAY
+5qO01w9REkvndL2PwBfzfISV3O4gl1aopp4DL6HVJ1wwIziMdt/lVl6z23U7t00Z
+UsLhGj868nWpWeSarX9BTRvcgfIRWrbDqYJuRybzws+M0lSpXZynzNyuUf40sRxX
+Bkzj4RZX86R55uaLyNAmbxaMrCX9iWgbM+3kkkAcvzpDnH+4lsTh1u/gbQb/Cott
+ymkL9b6XO6vYhGBb5RBG12ZGDtfZukihJF8p0dYEu4tGlIVJeLejqZ7KBwIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4ICAQA6vOB92vnw8aR682PYKSvPsnRSXhk9qAzz8R2j
+OPcc1Qc/RWJSll/JThWdZA595MvozYXAvOJgodAGPmCnq8lfoznImVrpX2qXr0g2
+XVfsrp9hqPFJpMDkJYYaxzDaOEYSjECMLD+9PQTCXZ7WeFpv4CZejLpX7RTz0DsF
+/KHGAtk9ucwewBeJ6cKOy6+bnqkkyM4nVDRlsrCw5aOOzoR1I0hqM68Bm8ZMfDoX
+XuNwMT06qEm0ob6Zm9dEMpSD/m74QTgyguQNVq73XhEUBBjKR1XVg0e0wL1zLX+Q
+GX4uQRWTw2nWME4SVKJbqJRBTD5k35a1YiF3hy9c6yMIa1dRj/HIM68E1BqFL2PC
+jc786D/Vh9ONtVwTfBhB8ODa2GwPdlqG7rMfLQPaF2vQhZRO/lCJVm0MLv14m2IF
+hQ+y6qs6d6Auv9eJRGQVIH7pR4dDsvE/sHvvx/O4RK8ydBG0JKE5FiPMwiIaiF/F
+TK/qcJqiRgp4Bcn+ydQOMg6XyeWKLFByJ+TRajzZ3w7jYzMNtmn+HAyhWdJtQSVj
+csw47OtW59XLk8G34Jl/bdtkCBsPHr46uGnIitIpwG4dGL+cI5XRIneJNuNm3lZN
+WMDdIJOWDcGsImj7Ip6qawSbPr5hAWvY0jBT8vUa8LJ8GNutpww+eHEYyannt2Kg
+JtO85w==
+-----END CERTIFICATE-----

docker-test-env/reverse_proxy/certs/identity.internetcomputer.org.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAlB8MdxjbtVmv+ok3kHGhaZ8GhFDR3OEZXd/r4/XgN9/qF3Tv
+1aFXaAlFRcgdxibq/pWsCaeuMiXmoV5y5TWiLM2xbM12LBFsC+97PXPIQkRfdG4Y
+RuogeNu3gm03WlyFpSrZo9b0oL3umFTE+/4xRThBrdotIUW3s1C30CV8qlCmTNYr
+D3pNTz6lmkPOZRsTfiXG/0nvt5TlubIB94sieKqUv/nkHpLkze127lLPWjH/vEVd
+pLLNEoBo8keshZz71UbsdJhR22uRK/ZCMOjeFz1RVPWdbqjNoZBWQiraFOK+dJSY
+gbgG6llbC68FZURxDl2FuaZL2q9k1BIc1ZeMmq8rFr7wtxvhBg2NfUPnhMgj2RHZ
+Qi7/FwN2TgX+Jgazw5anyB3zAcqVox/zgLDJrZ1BWMmW+PGe9AwbYq419slHmZJg
+GOajtNcPURJL53S9j8AX83yEldzuIJdWqKaeAy+h1SdcMCM4jHbf5VZes9t1O7dN
+GVLC4Ro/OvJ1qVnkmq1/QU0b3IHyEVq2w6mCbkcm88LPjNJUqV2cp8zcrlH+NLEc
+VwZM4+EWV/Okeebmi8jQJm8WjKwl/YloGzPt5JJAHL86Q5x/uJbE4dbv4G0G/wqL
+bcppC/W+lzur2IRgW+UQRtdmRg7X2bpIoSRfKdHWBLuLRpSFSXi3o6meygcCAwEA
+AQKCAgA2kqHzF1OLo3m04u136IXB9ndeNLC9oqnH7oJowORVccg70De1C/a6PAAr
+z6k4oooeNmLmQ8NocpJgjf3i+TnBLB/cqG6LmfenBhrv70KvN6W7rfx/1C8WmE0q
+XrbwMfqDeiApvz7uIkxQD5tsBKF+kVWRijrqcVdXV7wBkm42CfTbhmTjFPp64ef9
+yFG46prp9V02HbWWe+OP4UfcPoT61E5t1NH5ecGXJZCWCiifYKCKazwvPDlWQb1o
+1oN3zvjyAWmJI721DBK2kcqdXo7FHTBkDwJsDQGGLzm4szUaUNg+96ig0n6pxTZI
+PbnNL8Q/uLFWTzDPZ6PMhsfc4jNJExcfsvr7x4k7cvu1y2/Tl8AK8vKaOpLgWgnG
+mm7NzVB9900a7mw9ebKxs42x2k1+6vlWkiuXFIoPgUuGNSRWjZ0j/9dkgMzoxsHU
+RfND0VurXGEkwL/UAXKMSaX3rwlge+LijcDMKmMmFbUEQRm6p/NrhjlaDroXxOUb
+MCRf+B3gpEvcYtt+4PRnjDV32ObB5HDexig9rGuMOj3R6J3vKJjlzWGEFuYTeJii
+taFWdeG+7VnpN3li2S8Gvuu2bBSEmY0dP0HtZ7yiTqDntTwoI98hx3yp+akCLJuk
+DerRgwDXyfvgQgCHC1AZp7gfJgoIRJDTlqDGWVtIBV/zgUAIoQKCAQEAwysq/HD6
+Ixj4rRkcnJCnFEskRCMqZrwoMv7e11B4joIFgDJ++YW5AJz9ZW1IT42VmpeFopR9
+ASh/Sexkl8SOblZjpLaJOIXe14CCMx26C8Rx+fz5qGMXKA34V0qth9cxPojr7pNL
+zd9nuC3TAPEspaR+mssvu58/9J08Nx3j/3xcFVdg/mGAcWpIh6u8NYofYPtwavQc
+cDwi0GWMJ/C1G7C2iMwkx4GO+S4I2sSwwVNEEHYZ9DglHUituDxXuviw4iRP8/Pf
+N/GgQM/Ob/H2HBW2R3af86ezCA0GR2juRThELvKeUBv+qAKxVya6WCFUwk+x97AJ
+476MG8R8Qot8nwKCAQEAwknk/pW4EW5uqPYOF8+n/xVX4Cnw4YvojKHrxt5GhWw1
+5Pog4VhbUnundvlClEJg5+wHkyEBUDAvNxJ6W/db0vDasmcU/WJ1KV3LP4mtM7aX
+NekXXg8U4iQZRyBYHJ+ulKydpI1UbZz+DyIYNMCLtXxkttg2DWpXN9v3glQ6heuO
+EP509qrnir0WPCRo/TKyUES2TrqCrO8mKK9bMGJm8F7FJYrwGsQuj7I+ycgOntc7
+QvSkwT1VO0HSM//gpuBfPav7JI3SkviPxDUA2NbifdGQ9Mz9m9xB55a26iM95lPv
+TvBn20WwC/squLyZZngpgt1dkFjiNdD3f5kW+k1RmQKCAQEAsT589XGs2T8OaDWM
+FGwSMI3lS7QcB90NLPLmceh09AcE893oDrfwwavRPNG4f/b3TMQa6wGrXOfoYbw7
+xtENAQuXxri3egupy1C77awrkBBB6mRiXxhOqWO2i6AYZGt8H2y9x5chmsAvM8b5
+/7sHbw8qo22v1dbUgFRjoTKWIypPfloyjhMCUP3TDNNcQ8tCoBL5j0hOo2cZvuTa
+GlOyRol/3FB5fm4c6BN0mylR1ODHyaNYAsESg7vDeLPkgLrl+Ro9OjHaILZhcTrI
+IkY92leliNUkgmVkZAVgFG4pJdfppDFWsS4bYX3AjINxbCQpE6bI20aWVKxyFa2l
+o9GFxQKCAQBlNQ8Hm0A+PFOCymH+/1oY46paCB8Frtbd4z8p4gHEYOEWPUHBgUBZ
+EDblH+URzB4k0ewENW40slT2EDcTDyCTGooh4tapQ4+ak9RbbcF+rb/JAnn8skiD
+oKBWT7/2cSwFIIIiBMkVLHGfunf3itF8IadpI+nMRTfXzkr5ZhzyRAlGSvbsw4xH
+1kXt4F2cf7spWxHIoxmNMiqjiO0soCXVUtjJvL1khAtpKUXR4NfU4HNrZnsoemWa
+r6frFICXDUwvmRYDLamii76AS8f8LLvhJLio/NujRDJEjFsOTnthLxn6+fpv27Zg
+F19iykPyf+fH1r51ggecVxWGL14r1vkJAoIBAETj3xItvfc7G7cWtIEsjNRdB0w1
+wPV1SI3he172TWu6Il+wFSeG9ymR8kKEJ/dbwDLqWDfZOt2LukgsQbfA4egSjRtl
+eAUeb6+9V/jtlRFoGdaPer9ilZXEyUeAXY1vcbkfO/c6cA/4wbWGXBoYAylgJbu3
+fxE3zlwonVyBor7L6Y3vYhJImdh37KbvWPmt8Pk7PI2ZfSTFrAefSSKA4dbRjl6S
+xpmwcrK+DFwoULoMUGnMs3PsKiQW2eMfu3ZW8/JCClA9JWPsqCCWtHNSaM4PWlgx
+W9P6Y2bSwTPGDKRN+zB8K2wWi3kR17H9fPu+uj4ZOZT1kJdy8Src2ET481o=
+-----END RSA PRIVATE KEY-----

docker-test-env/reverse_proxy/nginx.conf

@@ -8,6 +8,7 @@ http {
     sendfile        on;
     keepalive_timeout  65;
 
+    # (a mock of) the IC's HTTP API endpoint
     server {
         listen       443 ssl;
         server_name  ic0.app;
@@ -26,12 +27,14 @@ http {
             proxy_redirect off;
         }
     }
+
+    # (a mock of) the official internet identity server/domain, i.e. where the webapp is served
     server {
         listen       443 ssl;
-        server_name  identity.ic0.app;
+        server_name  identity.internetcomputer.org;
 
-        ssl_certificate      /etc/nginx/certs/identity.ic0.app.crt;
-        ssl_certificate_key  /etc/nginx/certs/identity.ic0.app.key;
+        ssl_certificate      /etc/nginx/certs/identity.internetcomputer.org.crt;
+        ssl_certificate_key  /etc/nginx/certs/identity.internetcomputer.org.key;
 
         location / {
             proxy_pass http://host.docker.internal:II_PORT;

src/canister_tests/src/framework.rs

@@ -394,7 +394,7 @@ xr-spatial-tracking=()",
 
     assert!(Regex::new(
         "^default-src 'none';\
-connect-src 'self' https://ic0.app https://\\*\\.ic0.app;\
+connect-src 'self' https://identity.internetcomputer.org https://icp-api.io https://\\*\\.icp0.io https://ic0.app https://\\*\\.ic0.app;\
 img-src 'self' data:;\
 script-src 'sha256-[a-zA-Z0-9/=+]+' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:;\
 base-uri 'none';\

src/frontend/src/banner.ts

@@ -1,6 +1,6 @@
 import { render, html, TemplateResult } from "lit-html";
 import { anyFeatures } from "./features";
-import { OFFICIAL_II_URL } from "./config";
+import { OFFICIAL_II_URL, LEGACY_II_URL } from "./config";
 
 // Show a warning banner if the build is not "official". This happens if either the build
 // is a flavored build, or if the origin is not the official II URL.
@@ -14,7 +14,10 @@ export const showWarningIfNecessary = (): void => {
         href="https://github.com/dfinity/internet-identity#build-features"
         >more</a
       >`);
-  } else if (window.location.origin !== OFFICIAL_II_URL) {
+  } else if (
+    window.location.origin !== OFFICIAL_II_URL &&
+    window.location.origin !== LEGACY_II_URL
+  ) {
     showWarning(html`This is not the official Internet Identity.
       <a
         class="features-warning-btn"

src/frontend/src/config.ts

@@ -1,7 +1,13 @@
 /* Global configuration for II and constants */
 
 // The official URL, without protocol
-export const OFFICIAL_II_URL_NO_PROTOCOL = "identity.ic0.app";
+export const OFFICIAL_II_URL_NO_PROTOCOL = "identity.internetcomputer.org";
 
 // The URL where the official, production II is served
 export const OFFICIAL_II_URL = "https://" + OFFICIAL_II_URL_NO_PROTOCOL;
+
+// The legacy II URL, without protocol
+export const LEGACY_II_URL_NO_PROTOCOL = "identity.ic0.app";
+
+// The legacy production II URL
+export const LEGACY_II_URL = "https://" + LEGACY_II_URL_NO_PROTOCOL;

src/frontend/src/flows/addDevice/manage/index.ts

@@ -2,7 +2,7 @@ import { html, render } from "lit-html";
 import { browserIcon, securityKeyIcon } from "../../../components/icons";
 import { warnBox } from "../../../components/warnBox";
 import { mainWindow } from "../../../components/mainWindow";
-import { OFFICIAL_II_URL } from "../../../config";
+import { LEGACY_II_URL } from "../../../config";
 
 const pageContent = () => {
   const pageContentSlot = html` <article>
@@ -11,7 +11,7 @@ const pageContent = () => {
       additionalClasses: ["l-stack"],
       title: "Security Warning",
       message: html`Do not continue if you were prompted to do this by any
-        website other than <strong>${OFFICIAL_II_URL}</strong>!`,
+        website other than <strong>${LEGACY_II_URL}</strong>!`,
     })}
     <p class="t-lead l-stack">
       What type of device do you want to add to your Internet Identity? Make

src/frontend/src/flows/addDevice/manage/pollForTentativeDevice.ts

@@ -10,7 +10,7 @@ import {
 } from "../../../../generated/internet_identity_types";
 import { displayError } from "../../../components/displayError";
 import { mainWindow } from "../../../components/mainWindow";
-import { OFFICIAL_II_URL } from "../../../config";
+import { LEGACY_II_URL } from "../../../config";
 
 const pageContent = (userNumber: bigint) => {
   const pageContentSlot = html`
@@ -25,7 +25,7 @@ const pageContent = (userNumber: bigint) => {
       <li>
         Open
         <em class="c-tooltip">
-          <strong class="t-strong">${OFFICIAL_II_URL}</strong>
+          <strong class="t-strong">${LEGACY_II_URL}</strong>
           <span class="c-tooltip__message c-card c-card--narrow">
             Open this link on the device you want to add.
           </span>

src/frontend/src/flows/addDevice/welcomeView/deviceRegistrationModeDisabled.ts

@@ -5,7 +5,7 @@ import {
   TentativeDeviceInfo,
 } from "./registerTentativeDevice";
 import { mainWindow } from "../../../components/mainWindow";
-import { OFFICIAL_II_URL_NO_PROTOCOL } from "../../../config";
+import { LEGACY_II_URL_NO_PROTOCOL } from "../../../config";
 
 const pageContent = (userNumber: bigint) => {
   const pageContentSlot = html` <article>
@@ -23,8 +23,8 @@ const pageContent = (userNumber: bigint) => {
     <ol class="c-list c-list--numbered l-stack">
       <li>
         Log into
-        <strong class="t-strong">${OFFICIAL_II_URL_NO_PROTOCOL}</strong> with
-        your Identity Anchor (<strong class="t-strong">${userNumber}</strong>)
+        <strong class="t-strong">${LEGACY_II_URL_NO_PROTOCOL}</strong> with your
+        Identity Anchor (<strong class="t-strong">${userNumber}</strong>)
       </li>
       <li>
         Once you are logged in, click “<strong class="t-string"

src/frontend/src/flows/registerDisabled.ts

@@ -2,7 +2,7 @@ import { html, render } from "lit-html";
 import { warnBox } from "../components/warnBox";
 import { LoginFlowCanceled, cancel } from "../utils/flowResult";
 import { mainWindow } from "../components/mainWindow";
-import { OFFICIAL_II_URL } from "../config";
+import { LEGACY_II_URL } from "../config";
 
 const pageContent = (onCancel: () => void) => {
   const pageContentSlot = html` <hgroup>
@@ -14,7 +14,7 @@ const pageContent = (onCancel: () => void) => {
         message: html`<p class="t-paragraph t-lead">
             To keep you safe, we disabled registration from this address. If you
             want to securely create a new Internet Identity, visit:
-            <a class="t-link" href=${OFFICIAL_II_URL}>${OFFICIAL_II_URL}</a>.
+            <a class="t-link" href=${LEGACY_II_URL}>${LEGACY_II_URL}</a>.
           </p>
           <p class="t-paragraph">
             If you were redirected here by another website, please inform the

src/frontend/src/test-e2e/constants.ts

@@ -6,7 +6,7 @@ export const TEST_APP_CANISTER_ID = test_app_canister_ids.test_app.local;
 export const TEST_APP_CANONICAL_URL = `https://${TEST_APP_CANISTER_ID}.ic0.app`;
 export const TEST_APP_NICE_URL = "https://nice-name.com";
 export const REPLICA_URL = "https://ic0.app";
-export const II_URL = "https://identity.ic0.app";
+export const II_URL = "https://identity.internetcomputer.org";
 export const ABOUT_URL = `${II_URL}/about`;
 
 export const DEVICE_NAME1 = "Virtual WebAuthn device";

src/frontend/src/test-e2e/register.test.ts

@@ -35,7 +35,7 @@ const TEST_APP_CANISTER_ID = test_app_canister_ids.test_app.local;
 const TEST_APP_CANONICAL_URL = `https://${TEST_APP_CANISTER_ID}.ic0.app`;
 const TEST_APP_NICE_URL = "https://nice-name.com";
 const REPLICA_URL = "https://ic0.app";
-const II_URL = "https://identity.ic0.app";
+import { II_URL } from "./constants";
 const ABOUT_URL = `${II_URL}/about`;
 
 const DEVICE_NAME1 = "Virtual WebAuthn device";