Skip to content

CORS-RFC1918 Support #3929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
NoelDavies opened this issue May 17, 2021 · 5 comments
Closed

CORS-RFC1918 Support #3929

NoelDavies opened this issue May 17, 2021 · 5 comments
Labels
enhancement New feature or request

Comments

@NoelDavies
Copy link

Is your feature request related to a problem? Please describe.
I've not seen this mentioned before (apologies if it has come up).

Chrome will soon implement this and block any public to private requests (public domain to 127.0.0.1).

See https://chromestatus.com/feature/5436853517811712

Describe the solution you'd like
Update the cors package / add an option directly in the socket.io constructor to set the new CORS header.
https://wicg.github.io/private-network-access/#headers

Describe alternatives you've considered
I could host a centralized server, but I'd rather not do this for my users.

Additional context

Chrome's current warning message

This now appears in chrome:
[Deprecation] The website requested a subresource from a network that it could only access because of its users' privileged network position. These requests expose non-public devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage. To mitigate these risks, Chrome deprecates requests to non-public subresources when initiated from non-secure contexts, and will start blocking them in Chrome 92 (July 2021). See https://chromestatus.com/feature/5436853517811712 for more details.
@NoelDavies NoelDavies added the enhancement New feature or request label May 17, 2021
@darrachequesne
Copy link
Member

Hi! Could you please open an issue here: https://github.com./expressjs/cors? We'll include the new release once the cors package is updated.

Please note that, for now, you can manually add those headers:

Server (using the "headers" event which was added in [email protected]):

io.engine.on("headers", (headers) => {
  headers["Access-Control-Allow-Private-Network"] = true;
});

Client:

const socket = io({
  extraHeaders: {
    "Access-Control-Request-Private-Network": true
  }
});

@NoelDavies
Copy link
Author

Of course, my apologies! Will do now!

@NoelDavies NoelDavies mentioned this issue May 18, 2021
Open
@jzybert
Copy link

jzybert commented Aug 3, 2021

@darrachequesne I added those headers like you specified but I'm still seeing the warning. Am I missing something?

Server:

const app = express();
const server = createServer(app);
const io = new Server(server, {
    serveClient: false,
    cors: {
        origin: 'http://localhost:3000',
        methods: ['GET', 'POST']
    }
});

io.engine.on("headers", (headers: { [x: string]: any; }) => {
    headers["Access-Control-Allow-Private-Network"] = true;
});

Client:

let socket = io("http://localhost:5000", {
    extraHeaders: {
        'Access-Control-Request-Private-Network': 'true'
    }
});

package.json

...
    "socket.io": "4.1.3",
    "socket.io-client": "4.1.3",
    "socket.io-parser": "4.0.4",
...

@darrachequesne
Copy link
Member

That's weird... Do you see the headers in the network tab?

@darrachequesne
Copy link
Member

Closed due to inactivity, please reopen if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@NoelDavies @darrachequesne @jzybert