CODEWITHSUNDEEP
google-chromeflaskfirefoxcorsprivate-network-access
Hendricks27
Hendricks27

Reputation: 33

CORS on Firefox and potential help on chrom private local network access

I am currently using the FLASK developer HTTP server, and I am trying to build a local service (run on localhost) that serves files for a remote visualization website.

Here is the code for the python side

@app.route('/task/<path:path>', methods=['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE', 'PATCH'])
def static_file1(path):
    p = "./task/" + path
    return flask.send_file(p, conditional=True)

For safari, it just works like a charm. enter image description here As this screenshot indicates, flask development http server can serve files partially.

However, it didn't work for firefox for one request but not for the other. enter image description here And here are the headers for the first failed request enter image description here Successful request header enter image description here So I do believe the CORS header (Access-Control-Allow-Origin) is set correctly, otherwise the second request would fail.

Then what did I do incorrectly?

Second part:

It also doesn't work in Chrome, both requests failed, but I found the article below explaining new security features:

https://developer.chrome.com/blog/private-network-access-preflight/#:~:text=%23%20What%20is%20Private%20Network%20Access,to%20make%20private%20network%20requests.

But even with "Access-Control-Allow-Private-Network" set to "true" (See screenshot above), both requests still failed in chrome. And error msg:

Access to XMLHttpRequest at 'http://localhost:10981/task/a5c8616777d000499ff0cd5dbb02c957/datahub.json' from origin 'https://somepublic.website' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.

Any suggestion would be helpful! Thanks!

Update 1: After enabling ad-hoc SSL context (unsigned certificate) on the flask side, and using https on both localhost and "the public website", and changing the "#allow-insecure-localhost" flag in chrome to true, it works in chrome now. But still doesn't in firefox.

Upvotes: 0

Views: 247

Answers (1)

Quentin
Quentin

Reputation: 944320

If you check the specification you will see that it is a "Draft Community Group Report" and

This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.

The contribute list is made up entirely of people working for Google.

I can't find any mention of it in Firefox's bug tracker.

It looks like this is a highly experimental specification, which Firefox simple doesn't implement.

There doesn't appear to be any way to persuade Firefox to provide access from a secure, public Oritin to an insecure private origin.

Upvotes: 1

Related Questions