Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

All private network requests unintentionally allowed #337

Open
lmm-git opened this issue Oct 9, 2023 · 1 comment
Open

All private network requests unintentionally allowed #337

lmm-git opened this issue Oct 9, 2023 · 1 comment

Comments

@lmm-git
Copy link

lmm-git commented Oct 9, 2023

With #318 the Access-Control-Allow-Private-Network was introduced to this package, which now sets the header seemingly unconditionally when Access-Control-Allow-Private-Network: true is set in the client request.

This renders the whole private network requests initiative useless as it basically restores the "classic" behavior of allowing all requests as before introducing this feature by Chrome. For more information, please check the standard.

As the Chrome devs have introduced this feature as a security measure, I would consider this a security vulnerability. The newly introduced security measure is getting explicitly deactivated by this package, probably unknown to most users of this package.

My recommendation is to allow users of this package to decide whether the Access-Control-Allow-Private-Network is being set. This might incur breaking changes in some projects, but should be fine for most as it only impacts projects which are called from publicly available web pages hosted in private networks. For example, in some projects we are using this package, we would like to not set the Access-Control-Allow-Private-Network header as we are hosting an internal API with this library, but it does not have to be available to external web pages. As I would propose to be secure by default, this header should not be sent by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants