专用网络的CORS(RFC1918)对本地服务的呼叫发出警告 [英] CORS for private networks (RFC1918) warning on call to local service

问题描述

我有一个Web应用程序，它通过调用FETCH json与安装的本地应用程序进行通信。

我的WebApp托管在HTTPS中

本地应用程序是用.Net 5编写的，它在http上运行一个监听5001端口的嵌入式Web服务器，因为我们不想在客户端PC上安装证书

更新：我尝试放置证书并通过HTTPS进行调用，但我仍然收到此警告。证书已正确安装在客户端计算机上

所以Webapp通过这样的方式调用本地app：http://localhost:5001/api/MyService

在Chrome 96和更高版本的此类调用中，我收到以下警告

Ensure private network requests are only made to resources that allow them
A site requested a resource from a network that it could only access because of its users' privileged network position. These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.
To mitigate these risks, a future version of Chrome will require non-public subresources to opt-into being accessed with a preflight request.
To fix this issue, ensure that response to the preflight request for the private network resource has the Access-Control-Allow-Private-Network header set to true.
Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites.
https://developer.chrome.com/blog/private-network-access-update?utm_source=devtools

我应用了他们所说的，并在响应中添加了Access-Control-Allow-Private-Network，但我仍然有此警告。

请求是在带FETCH的Java脚本中提出的

    const response = await fetch(lUrl, {
                        method: "GET",
                        headers: {
                            //'Accept': 'application/json',
                            //'Content-Type': 'application/json',
                            'Access-Control-Request-Private-Network': 'true'
                        }
                    });

本地服务器似乎在CORS方面配置正确

 app.Use(async (context, next) =>
            {
                //a bien mettre avant le usecors, car on veut que ce soit setté en response de la preflight
                context.Response.Headers.Add("Access-Control-Allow-Private-Network", "true");
                await next();
            });

app.UseCors(builder => builder
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader());

现在，我不知道该尝试什么

下面是印前检查和请求的示例(分别生成警告)

印前检查

General

Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: OPTIONS
Status Code: 204 
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin

Response

access-control-allow-headers: access-control-request-private-network
access-control-allow-methods: GET
access-control-allow-origin: *
access-control-allow-private-network: true
date: Mon, 13 Dec 2021 11:25:28 GMT
server: Kestrel

Request

:authority: localhost:5101
:method: OPTIONS
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-headers: access-control-request-private-network
access-control-request-method: GET
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

请求本身

General

Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: GET
Status Code: 200 
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin

Response 

access-control-allow-origin: *
access-control-allow-private-network: true
content-type: application/json; charset=utf-8
date: Mon, 13 Dec 2021 11:25:35 GMT
server: Kestrel

Request

:authority: localhost:5101
:method: GET
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-private-network: true
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

感谢您的帮助

推荐答案

该主题最终与铬团队直接就该主题进行了检查https://bugs.chromium.org/p/chromium/issues/detail?id=1279700#c1

我发出这个警告似乎只是因为我激活了试验性的网络平台功能。此主题将被视为正在启动Chrome 98，因此目前与此警告无关。

让我们看看启动Chrome 98会发生什么情况

这篇关于专用网络的CORS(RFC1918)对本地服务的呼叫发出警告的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！