专用网络的 CORS (RFC1918) 在呼叫本地服务时发出警告

Posted 2023-03-04

【中文标题】专用网络的 CORS (RFC1918) 在呼叫本地服务时发出警告

【英文标题】：CORS for private networks (RFC1918) warning on call to local service

【发布时间】：2022-01-14 10:45:12

【问题描述】：

我有一个 web 应用程序，它通过 fetch json 调用与安装的本地应用程序进行通信。

我的 webapp 托管在 https

用 .net 5 编写的本地应用程序运行一个嵌入式 Web 服务器，它在 http 上侦听 5001 端口，因为我们不想在客户端电脑上安装证书

更新：我尝试放置证书并通过 https 进行调用，但我仍然收到此警告。证书已正确安装在客户端机器上

所以 webapp 通过这种方式调用本地应用程序：http://localhost:5001/api/MyService

在这种类型的调用中，在 chrome 96 和多个版本中，我有这个警告

Ensure private network requests are only made to resources that allow them
A site requested a resource from a network that it could only access because of its users' privileged network position. These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.
To mitigate these risks, a future version of Chrome will require non-public subresources to opt-into being accessed with a preflight request.
To fix this issue, ensure that response to the preflight request for the private network resource has the Access-Control-Allow-Private-Network header set to true.
Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites.
https://developer.chrome.com/blog/private-network-access-update?utm_source=devtools

我应用他们所说的，并在响应中添加了 Access-Control-Allow-Private-Network，但我仍然有这个警告。

请求是在 javascript 中使用 fetch 发出的

    const response = await fetch(lUrl, 
                        method: "GET",
                        headers: 
                            //'Accept': 'application/json',
                            //'Content-Type': 'application/json',
                            'Access-Control-Request-Private-Network': 'true'
                        
                    );

本地服务器似乎在 CORS 方面配置正确

 app.Use(async (context, next) =>
            
                //a bien mettre avant le usecors, car on veut que ce soit setté en response de la preflight
                context.Response.Headers.Add("Access-Control-Allow-Private-Network", "true");
                await next();
            );

app.UseCors(builder => builder
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader());

现在，我不知道该尝试什么

下面是预检和请求的示例（每个都会生成警告）

预检

General

Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: OPTIONS
Status Code: 204 
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin

Response

access-control-allow-headers: access-control-request-private-network
access-control-allow-methods: GET
access-control-allow-origin: *
access-control-allow-private-network: true
date: Mon, 13 Dec 2021 11:25:28 GMT
server: Kestrel

Request

:authority: localhost:5101
:method: OPTIONS
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-headers: access-control-request-private-network
access-control-request-method: GET
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/96.0.4664.93 Safari/537.36

请求自己

General

Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: GET
Status Code: 200 
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin

Response 

access-control-allow-origin: *
access-control-allow-private-network: true
content-type: application/json; charset=utf-8
date: Mon, 13 Dec 2021 11:25:35 GMT
server: Kestrel

Request

:authority: localhost:5101
:method: GET
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-private-network: true
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

感谢您的帮助

【问题讨论】：

可以参考这篇帖子的答案，需要添加自签名证书和Access-Control-* header：***.com/questions/66534759/…

@Chaodeng 我刚刚更新了我的帖子，你可以看看吗？

【参考方案1】：

主题终于在这个线程https://bugs.chromium.org/p/chromium/issues/detail?id=1279700#c1 上直接与铬团队核对了

我收到这个警告似乎只是因为我激活了实验性网络平台功能。该主题将被视为从 chrome 98 开始，因此目前此警告不相关。

让我们看看从 chrome 98 开始会发生什么