Grant Private Network Access preflights#21
Open
krokicki wants to merge 1 commit into
Open
Conversation
Chromium (Chrome/Edge) sends a CORS preflight before any request from a public-origin page to a private-network address, and only proceeds if the response echoes `Access-Control-Allow-Private-Network: true`. Starlette's CORSMiddleware does not emit this, so Chromium blocks public-origin pages from loading data hosted on an internal host. Add a pure-ASGI PrivateNetworkAccessMiddleware that echoes the grant header on preflights carrying `Access-Control-Request-Private-Network: true`, registered outside CORSMiddleware so it wraps the preflight response. Note: this does not affect Firefox, which uses a user-permission model (Local Network Access) rather than this header. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
neomorphic
approved these changes
Jun 29, 2026
neomorphic
left a comment
Member
There was a problem hiding this comment.
Looks good to me. This new restriction probably means we will need to update a number of similar services in the same way.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Chromium (Chrome/Edge) Private Network Access (PNA) sends a CORS preflight before any request from a public-origin page to a private-network address, and only proceeds if the response echoes
Access-Control-Allow-Private-Network: true. Starlette'sCORSMiddlewaredoes not emit that header, so Chromium blocks public-origin pages (e.g. browser-based viewers) from loading data served by an x2s3 instance on an internal network.Change
Add a small pure-ASGI
PrivateNetworkAccessMiddleware(modeled on the existingRequestIdMiddleware) that appendsAccess-Control-Allow-Private-Network: trueto responses for preflights carryingAccess-Control-Request-Private-Network: true. Registered outsideCORSMiddlewareso it wraps the preflight response CORS generates. The header is added only when the PNA request header is present (browsers send it solely on preflights), so it never leaks onto normal data responses.Tests
test_pna_preflight_grants_private_network— preflight with the PNA request header gets the grant header back.test_pna_header_absent_without_request— the grant header does not appear on ordinary responses.Note on Firefox
This does not address Firefox, which uses a user-permission model (Local Network Access) rather than a server header.
Mirrors the corresponding change in fileglancer (JaneliaSciComp/fileglancer#private-network-access), which uses x2s3's
FileProxyClientdirectly and therefore carries its own copy of this middleware.🤖 Generated with Claude Code