专用网络的CORS(RFC1918)对本地服务的呼叫发出警告
我有一个Web应用程序,它通过调用FETCH json与安装的本地应用程序进行通信。
我的WebApp托管在HTTPS中
本地应用程序是用.Net 5编写的,它在http上运行一个监听5001端口的嵌入式Web服务器,因为我们不想在客户端PC上安装证书
更新:我尝试放置证书并通过HTTPS进行调用,但我仍然收到此警告。证书已正确安装在客户端计算机上
所以Webapp通过这样的方式调用本地app:http://localhost:5001/api/MyService
在Chrome 96和更高版本的此类调用中,我收到以下警告
Ensure private network requests are only made to resources that allow them
A site requested a resource from a network that it could only access because of its users' privileged network position. These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.
To mitigate these risks, a future version of Chrome will require non-public subresources to opt-into being accessed with a preflight request.
To fix this issue, ensure that response to the preflight request for the private network resource has the Access-Control-Allow-Private-Network header set to true.
Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites.
https://developer.chrome.com/blog/private-network-access-update?utm_source=devtools
我应用了他们所说的,并在响应中添加了Access-Control-Allow-Private-Network,但我仍然有此警告。
请求是在带FETCH的Java脚本中提出的
const response = await fetch(lUrl, {
method: "GET",
headers: {
//'Accept': 'application/json',
//'Content-Type': 'application/json',
'Access-Control-Request-Private-Network': 'true'
}
});
本地服务器似乎在CORS方面配置正确
app.Use(async (context, next) =>
{
//a bien mettre avant le usecors, car on veut que ce soit setté en response de la preflight
context.Response.Headers.Add("Access-Control-Allow-Private-Network", "true");
await next();
});
app.UseCors(builder => builder
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader());
现在,我不知道该尝试什么
下面是印前检查和请求的示例(分别生成警告)
印前检查
General
Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: OPTIONS
Status Code: 204
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin
Response
access-control-allow-headers: access-control-request-private-network
access-control-allow-methods: GET
access-control-allow-origin: *
access-control-allow-private-network: true
date: Mon, 13 Dec 2021 11:25:28 GMT
server: Kestrel
Request
:authority: localhost:5101
:method: OPTIONS
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-headers: access-control-request-private-network
access-control-request-method: GET
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
请求本身
General
Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: GET
Status Code: 200
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin
Response
access-control-allow-origin: *
access-control-allow-private-network: true
content-type: application/json; charset=utf-8
date: Mon, 13 Dec 2021 11:25:35 GMT
server: Kestrel
Request
:authority: localhost:5101
:method: GET
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-private-network: true
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
感谢您的帮助
解决方案
该主题最终与铬团队直接就该主题进行了检查https://bugs.chromium.org/p/chromium/issues/detail?id=1279700#c1
我发出这个警告似乎只是因为我激活了试验性的网络平台功能。此主题将被视为正在启动Chrome 98,因此目前与此警告无关。
让我们看看启动Chrome 98会发生什么情况
相关文章