Support Private Network Access

[mluex]

Chrome is deprecating access to private network endpoints from non-secure websites as part of the Private Network Access specification. The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. These attacks have affected hundreds of thousands of users, allowing attackers to redirect them to malicious servers.

Source: https://developer.chrome.com/blog/private-network-access-update/

For more and up to date details on how it works, implementation timeline on the part of Google Chrome, please check out the link provided.

To summarize briefly:
When the browser notices that a website A wants to request a resource from website B and website B is a website in private IP space, the browser sends a additional headers in the Preflight request (along with CORS headers, if any).

HTTP/1.1 OPTIONS /delete-item
Origin: https://www.example.com
Access-Control-Request-Method: PUT
Access-Control-Request-Credentials: true
Access-Control-Request-Private-Network: true

The header Access-Control-Request-Private-Network: true is the one we are concerned with here.

If the server behind website B wants to allow this request, then it has to respond with status code 200 / 204 and the response header Access-Control-Allow-Private-Network: true.

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Methods: PUT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Private-Network: true

This PR implements the standard in this great bundle to allow or deny (default) Private Network Access with the appropriate header.

Users may set allow_private_network: true in nelmio_cors.yaml to instruct the bundle to set Access-Control-Allow-Private-Network: true for Preflight requests containing Access-Control-Request-Private-Network: true.

[Seldaek]

Thanks, looks good to me