Handle `Access-Control-Request-Private-Network: true` CORS headers

Question

Handle `Access-Control-Request-Private-Network: true` CORS headers

Closed this issue a year ago · 0 comments

Is your feature request related to a problem? Please describe.

We are using nginx-s3-gateway to serve sourcemaps for production services. The s3 gateway lives on a private AWS VPC and is only available over our VPN. This means that users on the VPN can get sourcemaps attached to to compiled code running in production, while customers can not.

Recently Chrome has made an update to prevent unintentional Private Network Access.

When Chrome makes a request for sourcemaps to servers using private IP address space (10.0.0.0/8, etc.), it now sends a CORS OPTIONS preflight with the header Access-Control-Request-Private-Network: true, and expects to get a response Access-Control-Allow-Private-Network: true.

Describe the solution you'd like

There are two possible solutions I can see, though there might be more:

Add an environment variable to configure arbitrary headers, e.g. RESPONSE_HEADERS_TO_ADD or HEADERS_TO_ADD
Add an environment variable just for private network access, e.g. CORS_ALLOW_PRIVATE_NETWORK_ACCESS or CORS_ALLOW_PRIVATE_NETWORK.

Describe alternatives you've considered

I could fork this repo and maintain it myself, but this seems like a valuable usecase.

Additional context

https://developer.chrome.com/blog/private-network-access-preflight/
https://developer.chrome.com/blog/private-network-access-update/