CLI's localhost listener handles CORS preflight requests for GETs #1887
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It seems like some future release of Chrome will send CORS preflight requests before following a redirect to localhost from a public https web site. See See https://chromestatus.com/feature/4869685172764672 for details.
For example, when the Pinniped CLI is configured to use Okta as an issuer, and when Okta redirects back to the CLI's localhost listener port with the authcode after the user logs in to Okta, then that redirect will cause a CORS preflight request for the browser to check if it is okay to follow the redirect by making a GET request to the CLI's localhost listener. This is because Okta is an example of an https web site running on a public IP address, and the CLI's localhost listener is a localhost IP address which is considered to live inside a private network.
Chrome does not implement this currently, but they seem to be working on implementing it starting in Chrome Beta v123. See https://developer.chrome.com/blog/chrome-123-beta#private_network_access_checks_for_navigation_requests_warning-only_mode. To prepare for someday when Chrome might require this CORS preflight request to pass, change the Pinniped CLI to respond to preflight requests in this situation and to allow GETs in its response.
Release note: