CORSMiddleware with Access-Control-Allow-Private-Network header

[Impro02]

Is it possible to add the allow_private_network parameter to the CORSMiddleware init like the following example ?

class CORSMiddleware:
    def __init__(
        self,
        app: ASGIApp,
        allow_origins: typing.Sequence[str] = (),
        allow_methods: typing.Sequence[str] = ("GET",),
        allow_headers: typing.Sequence[str] = (),
        allow_credentials: bool = False,
        allow_private_network: bool = False,
        allow_origin_regex: typing.Optional[str] = None,
        expose_headers: typing.Sequence[str] = (),
        max_age: int = 600,
    ) -> None:
        if "*" in allow_methods:
            allow_methods = ALL_METHODS

        compiled_allow_origin_regex = None
        if allow_origin_regex is not None:
            compiled_allow_origin_regex = re.compile(allow_origin_regex)

        allow_all_origins = "*" in allow_origins
        allow_all_headers = "*" in allow_headers
        preflight_explicit_allow_origin = not allow_all_origins or allow_credentials

        simple_headers = {}
        if allow_all_origins:
            simple_headers["Access-Control-Allow-Origin"] = "*"
        if allow_credentials:
            simple_headers["Access-Control-Allow-Credentials"] = "true"
        if allow_private_network:
            simple_headers["Access-Control-Allow-Private-Network"] = "true"
        if expose_headers:
            simple_headers["Access-Control-Expose-Headers"] = ", ".join(expose_headers)

        preflight_headers = {}
        if preflight_explicit_allow_origin:
            # The origin value will be set in preflight_response() if it is allowed.
            preflight_headers["Vary"] = "Origin"
        else:
            preflight_headers["Access-Control-Allow-Origin"] = "*"
        preflight_headers.update(
            {
                "Access-Control-Allow-Methods": ", ".join(allow_methods),
                "Access-Control-Max-Age": str(max_age),
            }
        )
        allow_headers = sorted(SAFELISTED_HEADERS | set(allow_headers))
        if allow_headers and not allow_all_headers:
            preflight_headers["Access-Control-Allow-Headers"] = ", ".join(allow_headers)
        if allow_credentials:
            preflight_headers["Access-Control-Allow-Credentials"] = "true"
        if allow_private_network:
            preflight_headers["Access-Control-Allow-Private-Network"] = "true"

        self.app = app
        self.allow_origins = allow_origins
        self.allow_methods = allow_methods
        self.allow_headers = [h.lower() for h in allow_headers]
        self.allow_all_origins = allow_all_origins
        self.allow_all_headers = allow_all_headers
        self.preflight_explicit_allow_origin = preflight_explicit_allow_origin
        self.allow_origin_regex = compiled_allow_origin_regex
        self.simple_headers = simple_headers
        self.preflight_headers = preflight_headers

[Kludex]

Do any CORSMiddleware in other framework implements this? What is this header?

[Impro02]

This header is used when there is a Private and Public combination, for example when the fontend is public and backend is private api hosting.

more information: https://developer.chrome.com/blog/private-network-access-preflight

[Kludex]

I meant if there's any other CORSMiddleware in a backend framework implementing it.

[Zaczero]

I think it's a good idea to support this header. Recently I had a cors issue when accessing a private IP site and I suppose this header would be a proper fix for it 😃. Good to know!

[Kludex]

What's the error?

[Zaczero]

It's a cors error. This new check prevents accessing private IPs websites from public IP websites. For example, if an image hosted on a private IP, is embedded on a public site, it will abort connection unless this header is set explicitly (for security). This headers allows for such behavior.

My use case is that the same domain have both public and private IPs (depending on the DNS server), and when connecting from an internal network via a private IP, additional access is granted.

Link to the wicg draft: https://wicg.github.io/private-network-access/

[dm1sh]

I've created a pull request #2621 implementing this functionality. Feel free to contribute and review to speed up its merging.

[Kludex]

Thanks. :)

If you want to speed up the merging process, it would be cool to reply my messages on the other threads here.

[Zefiro]

I just stumbled upon it as I wanted to get a project working with was using Python and FastAPI and this lead to here.
it appears that PR got abandoned :(
I don't know enough of this project to pick it up myself, but could you please reconsider adding it?
The new rules of Chrome makes certain use-cases impossible otherwise (and Firefox doesn't support the necessary Bluetooth APIs I need)