From 5bd8992544ce870e8cf0dcb7c5cd145e05e5a68d Mon Sep 17 00:00:00 2001 From: Daniel Compton Date: Tue, 17 Oct 2023 08:03:48 +1300 Subject: [PATCH] feature: add CORS_ALLOW_PRIVATE_NETWORK_ACCESS env var --- .../etc/nginx/templates/gateway/cors.conf.template | 13 +++++++++++++ docs/getting_started.md | 1 + 2 files changed, 14 insertions(+) diff --git a/common/etc/nginx/templates/gateway/cors.conf.template b/common/etc/nginx/templates/gateway/cors.conf.template index e92a1c95..f51346d0 100644 --- a/common/etc/nginx/templates/gateway/cors.conf.template +++ b/common/etc/nginx/templates/gateway/cors.conf.template @@ -1,4 +1,5 @@ set $request_cors "${request_method}_${CORS_ENABLED}"; +set $cors_private_network "${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}"; if ($request_cors = "OPTIONS_1") { add_header 'Access-Control-Allow-Origin' '${CORS_ALLOWED_ORIGIN}'; @@ -11,6 +12,18 @@ if ($request_cors = "OPTIONS_1") { # Tell client that this pre-flight info is valid for 20 days # add_header 'Access-Control-Max-Age' 1728000; + # + # Allow/deny Private Network Access CORS requests. + # https://developer.chrome.com/blog/private-network-access-preflight/ + # + if ($http_access_control_request_private_network = "true") { + if ($cors_private_network = "true") { + add_header 'Access-Control-Allow-Private-Network' 'true'; + } + if ($cors_private_network = "false") { + add_header 'Access-Control-Allow-Private-Network' 'false'; + } + } add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; diff --git a/docs/getting_started.md b/docs/getting_started.md index 8bfce615..5494f76a 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -40,6 +40,7 @@ running as a Container or as a Systemd service. | `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-goog-;x-something-` | | `CORS_ENABLED` | No | `true`, `false` | `false` | Flag that enables CORS headers on GET requests and enables pre-flight OPTIONS requests. If enabled, this will add CORS headers for "fully open" cross domain requests by default, meaning all domains are allowed, similar to the settings show in [this example](https://enable-cors.org/server_nginx.html). CORS settings can be fine-tuned by overwriting the [`cors.conf.template`](/common/etc/nginx/templates/gateway/cors.conf.template) file. | | `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | +| `CORS_ALLOW_PRIVATE_NETWORK_ACCESS` | No | `true`, `false` | | Flag that enables responding to the CORS OPTIONS pre-flight request header `Access-Control-Request-Private-Network` with the `Access-Control-Allow-Private-Network` header. If the value is "true", responds with "true", if "false" responds with "false. If the environment variable is blank/not set, does not respond with any header. This value is only used if CORS is enabled. See [Private Network Access: introducing preflights](https://developer.chrome.com/blog/private-network-access-preflight/) for more information about this header. | If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html),