Add privacy opt to fetch function for NYM support
#697
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| console.error('mixFetch error:', error) | ||
| throw error | ||
| } | ||
| } |
There was a problem hiding this comment.
Development code routes all traffic through mixFetch
High Severity
The code contains a block explicitly marked "temporarily enable mixFetch always for development purposes" that checks privacy === 'none' (the default) to route ALL non-login network traffic through the NYM mixnet. This is inverted from the intended opt-in behavior—compare with browser-io.ts which correctly checks privacy === 'nym'. This will slow down all network requests and could cause failures if mixFetch initialization fails.
| </head><body></body></html> | ||
| """, | ||
| baseURL: Bundle.main.bundleURL | ||
| ) |
There was a problem hiding this comment.
Source prop ignored, breaking custom script loading
Medium Severity
The visitPage() function now ignores the source prop except when it contains localhost:8080. On Android, mSource is completely ignored—it always loads from the bundle server. On iOS, custom sources not matching localhost:8080 are silently discarded. Previously, the source prop allowed loading custom scripts, which this change breaks.
Additional Locations (1)
| ...opts, | ||
| mode: 'unsafe-ignore-cors' as RequestMode | ||
| }) | ||
| } |
There was a problem hiding this comment.
Browser mixFetch missing required initialization call
High Severity
The browser implementation calls queuedMixFetch without first calling initMixFetch(). The React Native implementation explicitly calls await initMixFetch() with a comment "Ensure mixFetch is initialized before use" before calling queuedMixFetch. The browser code only imports queuedMixFetch but not initMixFetch. When a browser user sets privacy: 'nym', the request will fail because createMixFetch() was never called to set up the mixFetch client.
| let server = BundleHTTPServer(port: 3993) | ||
| server.start() | ||
| self.httpServer = server | ||
|
|
There was a problem hiding this comment.
iOS race condition between server start and page load
Medium Severity
In iOS init(), server.start() is called followed immediately by visitPage() on line 59. However, BundleHTTPServer.start() is asynchronous—it calls listener?.start(queue: queue) and returns before the server is actually ready to accept connections. The server is only ready when the state handler receives .ready. The WebView may attempt to load from localhost:3993 before the server is listening, causing the page load to fail. Android avoids this by only calling visitPage() from setSource(), which is invoked later by React Native.
CHANGELOG
Does this branch warrant an entry to the CHANGELOG?
Dependencies
noneDescription
noneNote
Introduces NYM mixnet networking and cross-origin isolation support across platforms.
privacyoption toEdgeFetchOptionsand routesprivacy: 'nym'requests throughqueuedMixFetch; implementsinitMixFetch/queuedMixFetchusing@nymproject/mix-fetchBundleHTTPServeron Android (BundleHTTPServer.java) and iOS (BundleHTTPServer.swift) servingindex.html,edge-core.js, and plugin files athttp://localhost:3993/withCOOP/COEPheadersEdgeCoreWebView(Android/iOS) to start/stop the server and loadindex.html; RN worker converts plugin URIs to/plugin/...pathsbrowser-iosupportsprivacy: 'nym'@nymproject/mix-fetchdependency*.wasmandweb-worker-*.js, servesrc/index.html, set COOP/COEP dev headers, and proxy/plugintolocalhost:3993android/src/main/assets/edge-core-js/*src/index.html; tsconfigskipLibCheckWritten by Cursor Bugbot for commit c5d1a9e. This will update automatically on new commits. Configure here.