Support Private Network Access #190
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mathroc
reviewed
Jan 2, 2024
| if ('OPTIONS' === $request->getMethod() && $request->headers->has('Access-Control-Request-Method')) { | ||
| if ('OPTIONS' === $request->getMethod() && | ||
| ($request->headers->has('Access-Control-Request-Method') || | ||
| $request->headers->has('Access-Control-Request-Private-Network')) |
There was a problem hiding this comment.
is it allowed to have the Access-Control-Request-Private-Network header without Access-Control-Request-Method?
Comment on lines
+224
to
+225
| if ($request->headers->has('Access-Control-Request-Private-Network') | ||
| && strtolower($request->headers->get('Access-Control-Request-Private-Network')) === 'true' |
There was a problem hiding this comment.
Suggested change
| if ($request->headers->has('Access-Control-Request-Private-Network') | |
| && strtolower($request->headers->get('Access-Control-Request-Private-Network')) === 'true' | |
| if (strtolower($request->headers->get('Access-Control-Request-Private-Network')) === 'true' |
and, I'm not sure non lowercase true is allowed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Source: https://developer.chrome.com/blog/private-network-access-update/
For more and up to date details on how it works, implementation timeline on the part of Google Chrome, please check out the link provided.
To summarize briefly:
When the browser notices that a website A wants to request a resource from website B and website B is a website in private IP space, the browser sends a additional headers in the Preflight request (along with CORS headers, if any).
The header
Access-Control-Request-Private-Network: trueis the one we are concerned with here.If the server behind website B wants to allow this request, then it has to respond with status code 200 / 204 and the response header
Access-Control-Allow-Private-Network: true.This PR implements the standard in this great bundle to allow or deny (default) Private Network Access with the appropriate header.
Users may set
allow_private_network: truein nelmio_cors.yaml to instruct the bundle to setAccess-Control-Allow-Private-Network: truefor Preflight requests containingAccess-Control-Request-Private-Network: true.