Skip to content

Grant Private Network Access preflights#21

Open
krokicki wants to merge 1 commit into
mainfrom
private-network-access
Open

Grant Private Network Access preflights#21
krokicki wants to merge 1 commit into
mainfrom
private-network-access

Conversation

@krokicki

Copy link
Copy Markdown
Member

Problem

Chromium (Chrome/Edge) Private Network Access (PNA) sends a CORS preflight before any request from a public-origin page to a private-network address, and only proceeds if the response echoes Access-Control-Allow-Private-Network: true. Starlette's CORSMiddleware does not emit that header, so Chromium blocks public-origin pages (e.g. browser-based viewers) from loading data served by an x2s3 instance on an internal network.

Change

Add a small pure-ASGI PrivateNetworkAccessMiddleware (modeled on the existing RequestIdMiddleware) that appends Access-Control-Allow-Private-Network: true to responses for preflights carrying Access-Control-Request-Private-Network: true. Registered outside CORSMiddleware so it wraps the preflight response CORS generates. The header is added only when the PNA request header is present (browsers send it solely on preflights), so it never leaks onto normal data responses.

Tests

  • test_pna_preflight_grants_private_network — preflight with the PNA request header gets the grant header back.
  • test_pna_header_absent_without_request — the grant header does not appear on ordinary responses.

Note on Firefox

This does not address Firefox, which uses a user-permission model (Local Network Access) rather than a server header.

Mirrors the corresponding change in fileglancer (JaneliaSciComp/fileglancer#private-network-access), which uses x2s3's FileProxyClient directly and therefore carries its own copy of this middleware.

🤖 Generated with Claude Code

Chromium (Chrome/Edge) sends a CORS preflight before any request from a
public-origin page to a private-network address, and only proceeds if the
response echoes `Access-Control-Allow-Private-Network: true`. Starlette's
CORSMiddleware does not emit this, so Chromium blocks public-origin pages
from loading data hosted on an internal host.

Add a pure-ASGI PrivateNetworkAccessMiddleware that echoes the grant header
on preflights carrying `Access-Control-Request-Private-Network: true`,
registered outside CORSMiddleware so it wraps the preflight response.

Note: this does not affect Firefox, which uses a user-permission model
(Local Network Access) rather than this header.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@neomorphic neomorphic left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. This new restriction probably means we will need to update a number of similar services in the same way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants