Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI's localhost listener handles CORS preflight requests for GETs #1887

Merged
merged 2 commits into from
Mar 8, 2024
Merged

CLI's localhost listener handles CORS preflight requests for GETs #1887

merged 2 commits into from
Mar 8, 2024

Conversation

cfryanr
Copy link
Member

@cfryanr cfryanr commented Mar 6, 2024

It seems like some future release of Chrome will send CORS preflight requests before following a redirect to localhost from a public https web site. See See https://chromestatus.com/feature/4869685172764672 for details.

For example, when the Pinniped CLI is configured to use Okta as an issuer, and when Okta redirects back to the CLI's localhost listener port with the authcode after the user logs in to Okta, then that redirect will cause a CORS preflight request for the browser to check if it is okay to follow the redirect by making a GET request to the CLI's localhost listener. This is because Okta is an example of an https web site running on a public IP address, and the CLI's localhost listener is a localhost IP address which is considered to live inside a private network.

Chrome does not implement this currently, but they seem to be working on implementing it starting in Chrome Beta v123. See https://developer.chrome.com/blog/chrome-123-beta#private_network_access_checks_for_navigation_requests_warning-only_mode. To prepare for someday when Chrome might require this CORS preflight request to pass, change the Pinniped CLI to respond to preflight requests in this situation and to allow GETs in its response.

Release note:

TODO

@codecov Codecov
Copy link

codecov bot commented Mar 6, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 38.24%. Comparing base (f881bbb) to head (d49b011).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1887      +/-   ##
==========================================
- Coverage   38.25%   38.24%   -0.01%     
==========================================
  Files         347      347              
  Lines       44201    44200       -1     
==========================================
- Hits        16909    16906       -3     
- Misses      26780    26781       +1     
- Partials      512      513       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cfryanr cfryanr enabled auto-merge March 8, 2024 19:36
@cfryanr cfryanr merged commit 61835e9 into main Mar 8, 2024
42 checks passed
@cfryanr cfryanr deleted the cli_callback_cors_get branch March 8, 2024 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuatcasey joshuatcasey joshuatcasey approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cfryanr @joshuatcasey @vmwclabot