Chrome will want a Access-Control-Allow-Private-Network header from the application if Access-Control-Request-Private-Network is sent in the preflight request. It would be nice if the CrossOrigin annotation handled this.
See https://developer.chrome.com/blog/private-network-access-preflight/.
Comment From: davidmobbssap
Any update on this ? Our product is relying on Spring to implement a web server, we are in a situation where private network access would break our workflow, and Google will one day or another enforce the change. So... can we expect a solution within the Spring framework, or will we have to circumvent it ? Thanks !
Comment From: rstoyanchev
Thanks for raising this.
My initial read is that this would be another boolean attribute in CorsConfiguration and @CrossOrigin that we would check if the Access-Control-Allow-Private-Network request header is present. It'll also require some additional logic for preflight checks given that:
preflight requests for PNA are also sent for same-origin requests, if the target IP address is more private than the initiator
I note that the spec is still a draft, and it's unclear how much it is to evolve yet, even if it is in Chrome already.
Comment From: bgalek
Access-Control-Allow-Private-Network is already there in your browsers, for now it's just a warning, but few days ago I've got caught in chrome experiment and it broke some internal stuff, can we update priority on this task?
@rstoyanchev?
Comment From: fmaeseele
Hi, Any chance this can be backported to branch 5.3 ? Kind regards
Comment From: sdeleuze
Yes, we will.
Comment From: sdeleuze
Backported to both Spring Framework 6.0 and 5.3.