feat: handle Chrome CORS preflight private network header

randing89 · randing89 · commit 227b0a359367 · 2023-11-06T21:53:40.000+11:00
diff --git a/README.md b/README.md
@@ -204,6 +204,7 @@ app.listen(80, function () {
 * `maxAge`: Configures the **Access-Control-Max-Age** CORS header. Set to an integer to pass the header, otherwise it is omitted.
 * `preflightContinue`: Pass the CORS preflight response to the next handler.
 * `optionsSuccessStatus`: Provides a status code to use for successful `OPTIONS` requests, since some legacy browsers (IE11, various SmartTVs) choke on `204`.
+* `allowPrivateNetwork`: Provides **Access-Control-Allow-Private-Network: true** if **Access-Control-Request-Private-Network: true** is presented.
 
 The default configuration is the equivalent of:
 
diff --git a/lib/index.js b/lib/index.js
@@ -156,6 +156,20 @@
     }
   }
 
+  function configureAllowPrivateNetwork(options, req) {
+    var reqHeader = req.headers['access-control-request-private-network'];
+    if (
+      options.allowPrivateNetwork &&
+      reqHeader && reqHeader === 'true'
+    ) {
+      return {
+        key: 'Access-Control-Allow-Private-Network',
+        value: 'true',
+      };
+    }
+    return null;
+  }
+
   function cors(options, req, res, next) {
     var headers = [],
       method = req.method && req.method.toUpperCase && req.method.toUpperCase();
@@ -168,6 +182,7 @@
       headers.push(configureAllowedHeaders(options, req));
       headers.push(configureMaxAge(options))
       headers.push(configureExposedHeaders(options))
+      headers.push(configureAllowPrivateNetwork(options, req));
       applyHeaders(headers, res);
 
       if (options.preflightContinue) {
diff --git a/test/test.js b/test/test.js
@@ -571,6 +571,39 @@ var util = require('util')
         })
       });
 
+      it('allows private network if explicitly enabled', function (done) {
+        var cb = after(1, done)
+        var req = new FakeRequest('OPTIONS', {
+          'access-control-request-private-network': 'true'
+        })
+        var res = new FakeResponse()
+
+        res.on('finish', function () {
+          assert.equal(res.getHeader('Access-Control-Allow-Private-Network'), 'true')
+          cb()
+        })
+
+        cors({ allowPrivateNetwork: true })(req, res, function (err) {
+          cb(err || new Error('should not be called'))
+        })
+      });
+
+
+      it('not allows private network if explicitly enabled but access-control-request-private-network is missing', function (done) {
+        var cb = after(1, done)
+        var req = new FakeRequest('OPTIONS')
+        var res = new FakeResponse()
+
+        res.on('finish', function () {
+          assert.equal(res.getHeader('Access-Control-Allow-Private-Network'), undefined)
+          cb()
+        })
+
+        cors({ allowPrivateNetwork: true })(req, res, function (err) {
+          cb(err || new Error('should not be called'))
+        })
+      });
+
       it('does not includes credentials unless explicitly enabled', function (done) {
         // arrange
         var req, res, next;
