Add CORS support for Private Network Access

[sixcorners]

Chrome will want a Access-Control-Allow-Private-Network header from the application if Access-Control-Request-Private-Network is sent in the preflight request. It would be nice if the CrossOrigin annotation handled this.

See https://developer.chrome.com/blog/private-network-access-preflight/.

[davidmobbssap]

Any update on this ?
Our product is relying on Spring to implement a web server, we are in a situation where private network access would break our workflow, and Google will one day or another enforce the change.
So... can we expect a solution within the Spring framework, or will we have to circumvent it ?
Thanks !

[rstoyanchev]

Thanks for raising this.

My initial read is that this would be another boolean attribute in CorsConfiguration and @CrossOrigin that we would check if the Access-Control-Allow-Private-Network request header is present. It'll also require some additional logic for preflight checks given that:

preflight requests for PNA are also sent for same-origin requests, if the target IP address is more private than the initiator

I note that the spec is still a draft, and it's unclear how much it is to evolve yet, even if it is in Chrome already.

[bgalek]

Access-Control-Allow-Private-Network is already there in your browsers, for now it's just a warning, but few days ago I've got caught in chrome experiment and it broke some internal stuff, can we update priority on this task?
@rstoyanchev?