fiber icon indicating copy to clipboard operation
fiber copied to clipboard
verified publisher icon gofiber

📝 [Proposal]: Add Support for the Private Network Access CORS Header `Access-Control-Request-Private-Network`

Open GalvinGao opened this issue 2 years ago • 5 comments

Feature Proposal Description

Add CORS Middleware Support for the Private Network Access CORS Header Access-Control-Request-Private-Network to avoid additional preflight/timeout time cost.

Alignment with Express API

Express.js's CORS middleware has not been updated yet.

HTTP RFC Standards Compliance

API Stability

It seems that Chrome 104 has already shipped this header.

Feature Examples

app.Use(cors.New(cors.Config{
    AllowPrivateNetworkAccess: true,

    // other already existing fields omitted...
}))

Example Request

OPTIONS /path HTTP/1.1
Accept: */*
Access-Control-Request-Method: GET
Access-Control-Request-Private-Network: true
Origin: https://example.com
Sec-Fetch-Mode: cors

Expected Response for the Example Request

HTTP/1.1 204 No Content
Access-Control-Allow-Private-Network: true
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST,HEAD,PUT,DELETE,PATCH

Checklist:

  • [X] I agree to follow Fiber's Code of Conduct.
  • [X] I have searched for existing issues that describe my proposal before opening this one.
  • [X] I understand that a proposal that does not meet these guidelines may be closed without explanation.

GalvinGao avatar Jan 19 '24 10:01 GalvinGao

This is really interesting. But I was just curious how are we avoiding pre-flight requests in this case. To access a private resource wouldn't the browser still need to make an [options] pre-flight request with the header Access-Control-Request-Private-Network: true for the server would respond with Access-Control-Allow-Private-Network: true.

What I'm confused about is that isn't it up to the browser to decide automatically when a pre-flight request needs to be sent. Either way, it would be sending a pre-flight request any way? So how are we avoiding additional pre-flights?

Behzad-Khokher avatar Jan 21 '24 19:01 Behzad-Khokher

@Behzad-Khokher here the blogpost from Google, on how it works: https://developer.chrome.com/blog/private-network-access-preflight

the-hotmann avatar Jan 22 '24 06:01 the-hotmann

sure we can do this

ReneWerner87 avatar Jan 23 '24 13:01 ReneWerner87

@ReneWerner87 I can look into this. May I self assign?

Behzad-Khokher avatar Jan 31 '24 18:01 Behzad-Khokher

Thx

ReneWerner87 avatar Jan 31 '24 18:01 ReneWerner87

This is still in draft and has not been accepted as a standard. https://wicg.github.io/private-network-access/

recommend against adding at this time.

sixcolors avatar Mar 12 '24 03:03 sixcolors

Fixed via #2908 will be a new festure in Fiber v3

gaby avatar Mar 28 '24 01:03 gaby