Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CORS support for Private Network Access #28546

Closed
sixcorners opened this issue May 31, 2022 · 6 comments
Closed

Add CORS support for Private Network Access #28546

sixcorners opened this issue May 31, 2022 · 6 comments
Assignees
@sdeleuze
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Milestone
6.1.3

Comments

@sixcorners
Copy link

sixcorners commented May 31, 2022
edited by sdeleuze
Loading

Chrome will want a Access-Control-Allow-Private-Network header from the application if Access-Control-Request-Private-Network is sent in the preflight request. It would be nice if the CrossOrigin annotation handled this.

See https://developer.chrome.com/blog/private-network-access-preflight/.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label May 31, 2022
@rstoyanchev rstoyanchev added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Jan 24, 2023
@davidmobbssap
Copy link

Any update on this ?
Our product is relying on Spring to implement a web server, we are in a situation where private network access would break our workflow, and Google will one day or another enforce the change.
So... can we expect a solution within the Spring framework, or will we have to circumvent it ?
Thanks !

@rstoyanchev
Copy link
Contributor

Thanks for raising this.

My initial read is that this would be another boolean attribute in CorsConfiguration and @CrossOrigin that we would check if the Access-Control-Allow-Private-Network request header is present. It'll also require some additional logic for preflight checks given that:

preflight requests for PNA are also sent for same-origin requests, if the target IP address is more private than the initiator

I note that the spec is still a draft, and it's unclear how much it is to evolve yet, even if it is in Chrome already.

@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Mar 14, 2023
@rstoyanchev rstoyanchev added this to the 6.x Backlog milestone Mar 14, 2023
@bgalek
Copy link

bgalek commented Dec 21, 2023

Access-Control-Allow-Private-Network is already there in your browsers, for now it's just a warning, but few days ago I've got caught in chrome experiment and it broke some internal stuff, can we update priority on this task?
@rstoyanchev?

Screenshot 2023-12-21 at 20 01 32

@sdeleuze sdeleuze modified the milestones: 6.x Backlog, 6.1.3 Dec 22, 2023
@sdeleuze sdeleuze self-assigned this Dec 22, 2023
@sdeleuze sdeleuze changed the title Support Access-Control-Allow-Private-Network header Add CORS support for Private Network Access Jan 5, 2024
sdeleuze added a commit to sdeleuze/spring-framework that referenced this issue Jan 5, 2024
@sdeleuze
Add CORS support for Private Network Access
d246856 
This commit adds CORS support for Private Network Access
by adding an Access-Control-Allow-Private-Network response
header when the preflight request is sent with an
Access-Control-Request-Private-Network header and that
Private Network Access has been enabled in the CORS
configuration.

See https://developer.chrome.com/blog/private-network-access-preflight/
for more details.

Closes spring-projectsgh-28546
@fmaeseele
Copy link

Hi,
Any chance this can be backported to branch 5.3 ?
Kind regards

@sdeleuze
Copy link
Contributor

sdeleuze commented Jan 8, 2024

Yes, we will.

@github-actions github-actions bot added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.3.x labels Jan 8, 2024
This was referenced Jan 8, 2024
Closed
Closed
sdeleuze added a commit to sdeleuze/spring-framework that referenced this issue Jan 8, 2024
@sdeleuze
Polishing
bd66763 
See spring-projectsgh-28546
@sdeleuze
Copy link
Contributor

sdeleuze commented Jan 8, 2024

Backported to both Spring Framework 6.0 and 5.3.

jhoeller added a commit that referenced this issue Jan 24, 2024
@jhoeller
Declare allowPrivateNetwork as available since 5.3.32
732642d 
See gh-28546
See gh-31974
jhoeller added a commit that referenced this issue Jan 24, 2024
@jhoeller
Declare allowPrivateNetwork as available since 5.3.32
9bd2be8 
See gh-28546
See gh-31974
jhoeller added a commit that referenced this issue Jan 24, 2024
@jhoeller
Declare allowPrivateNetwork as available since 5.3.32
2f921dd 
See gh-28546
See gh-31974
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sdeleuze sdeleuze

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.3
Development

No branches or pull requests
7 participants
@sdeleuze @rstoyanchev @sixcorners @bgalek @fmaeseele @spring-projects-issues @davidmobbssap