cors icon indicating copy to clipboard operation
cors copied to clipboard

Published 20 hours ago verified publisher icon expressjs

feat: handle private network requests

Open joostdebruijn opened this issue 2 years ago • 14 comments

This PR adds support for Private Network Requests via CORS, as described in issue #236.

By default this library is allowing all origins, thus in this PR Private Network Requests are allowed by default as well.

(Closes #236)

joostdebruijn avatar Aug 02 '22 12:08 joostdebruijn

Besides the default issue above, it looks good, thank you for your work, it is really appreciated!

The option name itself I'm not sure Access postfix is really necessary, as all the options are about access. What about just allowPrivateNetwork?

dougwilson avatar Aug 02 '22 14:08 dougwilson

Thanks for your feedback! I pushed a new commit for the default value.

What about just allowPrivateNetwork?

Yes, better! Changed that as well.

joostdebruijn avatar Aug 02 '22 14:08 joostdebruijn

@dougwilson Did you have time to re-review this one?

joostdebruijn avatar Sep 21 '22 12:09 joostdebruijn

It's great to see this PR as we are also very interested in this feature, thank you @joostdebruijn! @dougwilson looking forward to hearing an update from you. Thank you both!

jaime-rivas avatar Dec 05 '22 14:12 jaime-rivas

Hello @dougwilson ,

Looking forward to this PR since I cannot test my ApolloServer when running on localhost. Thank you for your efforts @joostdebruijn

edokan avatar Dec 29 '22 16:12 edokan

I'm also quite interested in this PR so we don't have any problems in the next chromium updates.

image

gersonfs avatar Feb 10 '23 13:02 gersonfs

Thanks everyone. I will review it today and merge if no comments. In the meantime I do have a question about if this should be landed like this enabled by default; I'm not sure if thay is going to end up getting a sec vulun reported or not; I ask because I assume the point of the web browser change is that this should be opt-in?

dougwilson avatar Feb 10 '23 13:02 dougwilson

I'm not a security expert. But particularly I find it more transparent to enable this setting explicitly in the client code.

gersonfs avatar Feb 10 '23 16:02 gersonfs

Looking forward to this PR since we encountered problems in our automation recently after updating Chrome version. We run the automation in private network so we have to add support for the new headers, either by ourself but would be great to use this option.

skambalin avatar Jun 09 '23 06:06 skambalin

Any update on this? It's getting close to Chrome 117 release day 😬

From what I can tell from the conversation, there is an outstanding question of whether this setting should be on by default. IMO it should not be - the setting is there to allow a very specific use case that potentially opens up clients to possible exploitation, so those that enable it must be aware of the consequences of it.

bbbates-tl avatar Aug 17 '23 05:08 bbbates-tl

Please merge this

trullock avatar Aug 22 '23 09:08 trullock

Hi @trullock the PR should get changed so it is not on by default as per @bbbates-tl I think.

dougwilson avatar Aug 22 '23 13:08 dougwilson

@dougwilson I've changed the default value. Private network requests are disabled by default now.

joostdebruijn avatar Aug 22 '23 13:08 joostdebruijn

Is this going to be merged anytime soon?

Sahib08 avatar Apr 19 '24 19:04 Sahib08