contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

CORS Access-Control-Allow-Private-Network

Open t0rr3sp3dr0 opened this issue 3 years ago • 6 comments

Feature Request

Add a new allowPrivateNetwork option to corsPolicy of HTTPProxy that will make Contour respond requests with the header Access-Control-Allow-Private-Network: true when the header Access-Control-Request-Private-Network: true is present on OPTIONS requests.

apiVersion: projectcontour.io/v1
kind: HTTPProxy
spec:
  virtualhost:
    corsPolicy:
        allowPrivateNetwork: true

Context

Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification.

Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.

Source: https://developer.chrome.com/blog/private-network-access-preflight/

t0rr3sp3dr0 avatar Jun 02 '22 16:06 t0rr3sp3dr0

Related: https://github.com/envoyproxy/envoy/issues/21553

t0rr3sp3dr0 avatar Jun 02 '22 17:06 t0rr3sp3dr0

You could possibly implement this with contour as-is using the response header policy configuration option on a HTTPProxy route

sunjayBhatia avatar Jun 02 '22 19:06 sunjayBhatia

If that is not sufficient we could implement this but would be blocked on native Envoy support

sunjayBhatia avatar Jun 02 '22 19:06 sunjayBhatia

I believe HeaderResponsePolicy is not enough because we must not include this header if the Origin is not trusted.

But it can be used as a workaround to restore the old behavior of Chrome. It seems reasonable short-term, but it is important we have this in long-term.

t0rr3sp3dr0 avatar Jun 02 '22 20:06 t0rr3sp3dr0

@sunjayBhatia, this issue has been resolved on the Envoy side. Can we remove the blocked/needs-envoy label?

t0rr3sp3dr0 avatar Sep 01 '22 14:09 t0rr3sp3dr0

looks like this change hasn't made it into a release yet, so still blocked on that for a bit

sunjayBhatia avatar Sep 01 '22 15:09 sunjayBhatia

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Nov 01 '22 00:11 github-actions[bot]

@sunjayBhatia, now we can remove the blocked/needs-envoy tag. Envoy v1.24.0 was recently released with support to CORS PNA.

t0rr3sp3dr0 avatar Nov 01 '22 01:11 t0rr3sp3dr0

thanks for the update @t0rr3sp3dr0 !

sunjayBhatia avatar Nov 01 '22 17:11 sunjayBhatia

Hi @sunjayBhatia ! May I pick this up, and can you please guide me on how to implement it

vishal-chdhry avatar Nov 14 '22 14:11 vishal-chdhry

@Vishal-Chdhry

  • a new field should be added here: https://github.com/projectcontour/contour/blob/6c2ff107b36c25ac89770704c1c247296ff6a470/apis/projectcontour/v1/httpproxy.go#L375-L409
  • you can follow the logic around CORS policies in this helper: https://github.com/projectcontour/contour/blob/6c2ff107b36c25ac89770704c1c247296ff6a470/internal/dag/httpproxy_processor.go#L1305
  • for testing should add some unit testing and featuretest here: https://github.com/projectcontour/contour/blob/6c2ff107b36c25ac89770704c1c247296ff6a470/internal/featuretests/v3/corspolicy_test.go

sunjayBhatia avatar Jan 06 '23 00:01 sunjayBhatia