14

We have a test environment on a public site. There we use --disable-web-security flag on chrome for the testers to bypass CORS errors for public service calls during manual test phase. And also we have localhost requests on the agent machine. However today with Chrome 98 update we started struggling with the network requests targeting localhost.

The error we get is for the localhost requests from a public site:
Access to XMLHttpRequest at 'https://localhost:3030/static/first.qjson' from origin 'https://....com' has been blocked by CORS policy: Request had no target IP address space, yet the resource is in address space `local`.

The site on localhost is configured to return Access-Control-Allow-* CORS headers including "Access-Control-Allow-Private-Network: true".

And also I do not see any preflight request. Just one GET request with CORS error on it.

We suspect this might be a side effect caused when you disable web security by --disable-web-security. It might be preventing obtaining of the target IP address space. Our assumption is based on the CORS preflight section on https://wicg.github.io/private-network-access/

3.1.2. CORS preflight
The HTTP fetch algorithm should be adjusted to ensure that a preflight is triggered for all private network requests initiated from secure contexts.

The main issue here is again that the response’s IP address space is not known until a connection is obtained in HTTP-network fetch, which is layered under CORS-preflight fetch.

So does anyone know any workaround for Private Network Access with --disable-web-security flag ? Or maybe we are missing something. Thanks for the help.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Alper Batıoğlu
  • 313
  • 1
  • 2
  • 9
  • 2
    Same issue [here](https://stackoverflow.com/questions/70967205/unable-to-access-the-b2c-page-from-localhost-and-getting-cors-error-even-after-u) from yesterday. – T.J. Crowder Feb 07 '22 at 12:26
  • Instead of using `---disable-web-security` (which isn't sustainable), why don't you fix the original CORS issue instead? – jub0bs Feb 07 '22 at 15:29
  • @jub0bs yes that is a legitimate approach as well, and we also guided the backend teams to that, but you can imagine how many of them there are. So we are searching if there is any workaround here. – Alper Batıoğlu Feb 08 '22 at 06:25
  • @AlperBatıoğlu What's worse? Biting the bullet and set up CORS properly once and for all, or asking your colleagues to disable their browser's security and putting them at risk? – jub0bs Feb 08 '22 at 06:44
  • 1
    @jub0bs, I completely agree with you. I just left a hot meeting about this, again we lead teams to fix CORS issues. But you know how easy solutions are adapted faster. Yet again as --disable-web-security is still a feature and users of this feature are guided for test purposes only, we are searching if any workaround exists. As of now tester browsers are downgraded. – Alper Batıoğlu Feb 08 '22 at 17:04

2 Answers2

14

Below Steps can help to solve issue in chrome 98, for other browser like edge you need to do similar like chrome.

For MAC

  • Requestly with chrome version 98. You need to follow following steps :- Run this command on terminal

    defaults write com.google.Chrome InsecurePrivateNetworkRequestsAllowed -bool true

  • Restart your Browser, Not work then restart your machine

For WINDOWS

  • Run 'regedit' to open windows registry (If permission issue came then run that command with Admin command prompt)
  • Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
  • Create new DWORD value with "InsecurePrivateNetworkRequestsAllowed" Name
  • Change Value to "1"
  • Restart your Browser
Sandy
  • 256
  • 3
  • 5
  • 1
    Two notes: - Did not had the key "HKLM\SOFTWARE\Policies\Google\Chrome" but after creting it did the job. Thats it. - also another key "InsecurePrivateNetworkRequestsAllowedForUrls" exists for url spesific requirements. -> https://developer.chrome.com/blog/private-network-access-update/ That can be aranged by admins. Thanks. – Alper Batıoğlu Feb 09 '22 at 08:49
  • an example of the use of ...Urls looks like [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\InsecurePrivateNetworkRequestsAllowedForUrls] "1"="https://[*.]source.com/*" – pposada Feb 10 '22 at 14:39
  • Could anyone explain the reason why this works? I do install a VPN app, but I'm not launch it. Why I still got CORS error with "Chrome 98 Private Network Access"? – Junior Tour Mar 09 '22 at 09:54
  • Doesnt work anymore. I ended up creating a trusted self signed certificate using https://github.com/FiloSottile/mkcert – Nitin Apr 26 '22 at 07:33
  • Chrome recently released Version 102 which implements new requirements for CORS private network access. If you have a public facing app that calls to an api on a private IP block like a 10.x.x.x. or a 192.x.x.x then it will fail. This answer for windows fixed the error for me – Mike May 27 '22 at 05:21
  • For my Windows, adding `InsecurePrivateNetworkRequestsAllowed` as an "expandable String Value" did the job (with value set to `true`) – erwanlfrt Jun 22 '22 at 09:09
3

LINUX

for linux users you have to create a policy file in this path:

mkdir -p /etc/chromium/policies/managed

# for chrome you should change the path to this
# /etc/opt/chrome/policies/managed

and then create a new json file for policies:

cd /etc/chromium/policies/managed
touch dev_policy.json

and put this content in it:

{
"InsecurePrivateNetworkRequestsAllowed": 1
}

for chrome:

{
"InsecurePrivateNetworkRequestsAllowed": true
}

that is it, next time you start chrome on your machine it will load this new policies.

p.s. you can check if the policies are correctly loaded in here: chrome://policy/

Ehsan Nouri
  • 1,990
  • 11
  • 17