We have a test environment on a public site. There we use --disable-web-security flag on chrome for the testers to bypass CORS errors for public service calls during manual test phase. And also we have localhost requests on the agent machine. However today with Chrome 98 update we started struggling with the network requests targeting localhost.
The error we get is for the localhost requests from a public site:
Access to XMLHttpRequest at 'https://localhost:3030/static/first.qjson' from origin 'https://....com' has been blocked by CORS policy: Request had no target IP address space, yet the resource is in address space `local`.
The site on localhost is configured to return Access-Control-Allow-* CORS headers including "Access-Control-Allow-Private-Network: true".
And also I do not see any preflight request. Just one GET request with CORS error on it.
We suspect this might be a side effect caused when you disable web security by --disable-web-security. It might be preventing obtaining of the target IP address space. Our assumption is based on the CORS preflight section on https://wicg.github.io/private-network-access/
3.1.2. CORS preflight
The HTTP fetch algorithm should be adjusted to ensure that a preflight is triggered for all private network requests initiated from secure contexts.
The main issue here is again that the response’s IP address space is not known until a connection is obtained in HTTP-network fetch, which is layered under CORS-preflight fetch.
So does anyone know any workaround for Private Network Access with --disable-web-security flag ? Or maybe we are missing something. Thanks for the help.
Below Steps can help to solve issue in chrome 98, for other browser like edge you need to do similar like chrome.
Requestly with chrome version 98. You need to follow following steps :- Run this command on terminal
defaults write com.google.Chrome InsecurePrivateNetworkRequestsAllowed -bool true
Restart your Browser, Not work then restart your machine