Add support for Private Network Access (CORS header Access-Control-Allow-Private-Network)

[Andreas-Hjortland]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I am trying to reach my ASP.NET core api running on https://localhost:5001/ from a SPA which is hosted on another domain (although same computer for me) and I get a CORS error.

Describe the solution you'd like

I would like to propose that we extend the CorsPolicy with the boolean property AllowPrivateNetworkAccess and CorsPolicyBuilder with the method WithPrivateNetworkAccess which the CorsService uses to set the Access-Control-Allow-Private-Network: true on preflight requests if the browser sends the Access-Control-Request-Private-Network: true header in the request.

Additional context

Link to WICG Draft: https://wicg.github.io/private-network-access/
Link to Chrome developer article about the feature and roll out: https://developer.chrome.com/blog/private-network-access-preflight/

[Andreas-Hjortland]

For people who are having issues with the private network access cors header, you can add the following code snippet just before app.UseCors() in your ASP.NET application to work around the issue until we get proper support through the CorsPolicyBuilder interface:

// Enable PNA preflight requests
app.Use(async (ctx, next) =>
{
    if (ctx.Request.Method.Equals("options", StringComparison.InvariantCultureIgnoreCase) && ctx.Request.Headers.ContainsKey("Access-Control-Request-Private-Network"))
    {
        ctx.Response.Headers.Add("Access-Control-Allow-Private-Network", "true");
    }

    await next();
});
app.UseCors();

[Andreas-Hjortland]

I am willing to try to implement this feature if you decide that you want to add it =)

[blowdart]

We tend not to add support for unoffical drafts as they are in flux, and can change at any time, and if they do so after we release we're in a bad position, having to support back compatibility as well as the updated standard.

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[michaelakin]

Thanks for the code @Andreas-Hjortland That solved our issue, but it would be nice to see this a regular add on to the CORS configuration.

[jetersen]

@blowdart This is now live in Chrome 104 and above 😅

Thanks for contacting us.

We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.