CORS Access-Control-Allow-Private-Network

[t0rr3sp3dr0]

Title: CORS Access-Control-Allow-Private-Network

Description:

Add a new allow_private_network option to config.route.v3.CorsPolicy that will make Envoy respond requests with the header Access-Control-Allow-Private-Network: true when the header Access-Control-Request-Private-Network: true is present on OPTIONS requests.

Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification.

Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.

Relevant Links:

https://developer.chrome.com/blog/private-network-access-preflight/

[KBaichoo]

cc @daixiang0 @wbpcode

[daixiang0]

I will take a look.

[daixiang0]

@envoyproxy/envoy-maintainers please close as it is fixed.

[bruce-c-liu]

Hi when will this be released?

[adisuissa]

Hi when will this be released?

IIUC this will be part of 1.24.0, and according to the releases schedule the version should be cut in a couple of weeks.