Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Question / Feature Request] CORS-RFC1918 Support

See original GitHub issue

Is your feature request related to a problem? Please describe. I’ve not seen this mentioned before (apologies if it has come up).

Chrome will soon implement this and block any public to private requests (public domain to 127.0.0.1).

See https://chromestatus.com/feature/5436853517811712

Describe the solution you’d like Update the cors package to easily set the new CORS header (maybe auto-magically?) https://wicg.github.io/private-network-access/#headers

Describe alternatives you’ve considered I could host a centralized server, but I’d rather not do this for my users.

Additional context Chrome’s current warning message

This now appears in chrome: [Deprecation] The website requested a subresource from a network that it could only access because of its users' privileged network position. These requests expose non-public devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage. To mitigate these risks, Chrome deprecates requests to non-public subresources when initiated from non-secure contexts, and will start blocking them in Chrome 92 (July 2021). See https://chromestatus.com/feature/5436853517811712 for more details.

(Sidenote - spoke to to the socket.io devs and they pointed me to you guys - https://github.com/socketio/socket.io/issues/3929)

Issue Analytics

State:
Created 2 years ago
Reactions:6
Comments:5 (1 by maintainers)

Top GitHub Comments

5reactions

mashcommented, Feb 21, 2022

Chrome 98 seems to have started to add and require Access-Control-Request-Private-Network header. https://developer.chrome.com/blog/private-network-access-preflight/

After disabling chrome://flags/#block-insecure-private-network-requests , Chrome still adds and requires the header.

For future visitors, you can do:

app.use('/', function (req, res, next) {
  if (req.headers["access-control-request-private-network"]) {
    res.setHeader("access-control-allow-private-network", "true");
  }
  next(null);
})

But I hope to see some flag in cors package.

1reaction

Abhi347commented, May 6, 2022

Chrome Beta version 102, started the experiment again and the preflight requests are sent with Access-Control-Request-Private-Network header.

For future readers, disabling both the following flags are required, in case you wanna disable requesting the headers from the Chrome browser for now.

chrome://flags/#block-insecure-private-network-requests chrome://flags/#private-network-access-send-preflights