Add CORS support for Private Network Access

This commit adds CORS support for Private Network Access
by adding an Access-Control-Allow-Private-Network response
header when the preflight request is sent with an
Access-Control-Request-Private-Network header and that
Private Network Access has been enabled in the CORS
configuration.

See https://developer.chrome.com/blog/private-network-access-preflight/
for more details.

Closes gh-31974

(cherry picked from commit 318d460256)
This commit is contained in:
Sébastien Deleuze
2024-01-04 21:38:59 +01:00
parent dd9b6749d7
commit cfec88bfa8
18 changed files with 328 additions and 15 deletions

View File

@@ -84,6 +84,7 @@ public class CorsBeanDefinitionParser implements BeanDefinitionParser {
}
config.applyPermitDefaultValues();
config.validateAllowCredentials();
config.validateAllowPrivateNetwork();
corsConfigurations.put(mapping.getAttribute("path"), config);
}
}

View File

@@ -132,6 +132,17 @@ public class CorsRegistration {
return this;
}
/**
* Whether private network access is supported.
* <p>By default this is not set (i.e. private network access is not supported).
* @since 6.1.3
* @see <a href="https://wicg.github.io/private-network-access/">Private network access specifications</a>
*/
public CorsRegistration allowPrivateNetwork(boolean allowPrivateNetwork) {
this.config.setAllowPrivateNetwork(allowPrivateNetwork);
return this;
}
/**
* Configure how long in seconds the response from a pre-flight request
* can be cached by clients.

View File

@@ -530,6 +530,7 @@ public abstract class AbstractHandlerMapping extends WebApplicationObjectSupport
}
if (config != null) {
config.validateAllowCredentials();
config.validateAllowPrivateNetwork();
}
executionChain = getCorsHandlerExecutionChain(request, executionChain, config);
}

View File

@@ -648,6 +648,7 @@ public abstract class AbstractHandlerMethodMapping<T> extends AbstractHandlerMap
CorsConfiguration corsConfig = initCorsConfiguration(handler, method, mapping);
if (corsConfig != null) {
corsConfig.validateAllowCredentials();
corsConfig.validateAllowPrivateNetwork();
this.corsLookup.put(handlerMethod, corsConfig);
}

View File

@@ -501,6 +501,18 @@ public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMappi
"or an empty string (\"\"): current value is [" + allowCredentials + "]");
}
String allowPrivateNetwork = resolveCorsAnnotationValue(annotation.allowPrivateNetwork());
if ("true".equalsIgnoreCase(allowPrivateNetwork)) {
config.setAllowPrivateNetwork(true);
}
else if ("false".equalsIgnoreCase(allowPrivateNetwork)) {
config.setAllowPrivateNetwork(false);
}
else if (!allowPrivateNetwork.isEmpty()) {
throw new IllegalStateException("@CrossOrigin's allowPrivateNetwork value must be \"true\", \"false\", " +
"or an empty string (\"\"): current value is [" + allowPrivateNetwork + "]");
}
if (annotation.maxAge() >= 0 ) {
config.setMaxAge(annotation.maxAge());
}

View File

@@ -56,8 +56,8 @@ public class CorsRegistryTests {
@Test
public void customizedMapping() {
this.registry.addMapping("/foo").allowedOrigins("https://domain2.com", "https://domain2.com")
.allowedMethods("DELETE").allowCredentials(false).allowedHeaders("header1", "header2")
.exposedHeaders("header3", "header4").maxAge(3600);
.allowedMethods("DELETE").allowCredentials(true).allowPrivateNetwork(true)
.allowedHeaders("header1", "header2").exposedHeaders("header3", "header4").maxAge(3600);
Map<String, CorsConfiguration> configs = this.registry.getCorsConfigurations();
assertThat(configs.size()).isEqualTo(1);
CorsConfiguration config = configs.get("/foo");
@@ -65,7 +65,8 @@ public class CorsRegistryTests {
assertThat(config.getAllowedMethods()).isEqualTo(Collections.singletonList("DELETE"));
assertThat(config.getAllowedHeaders()).isEqualTo(Arrays.asList("header1", "header2"));
assertThat(config.getExposedHeaders()).isEqualTo(Arrays.asList("header3", "header4"));
assertThat(config.getAllowCredentials()).isFalse();
assertThat(config.getAllowCredentials()).isTrue();
assertThat(config.getAllowPrivateNetwork()).isTrue();
assertThat(config.getMaxAge()).isEqualTo(Long.valueOf(3600));
}
@@ -95,6 +96,7 @@ public class CorsRegistryTests {
assertThat(config.getAllowedHeaders()).isEqualTo(Collections.singletonList("*"));
assertThat(config.getExposedHeaders()).isEmpty();
assertThat(config.getAllowCredentials()).isNull();
assertThat(config.getAllowPrivateNetwork()).isNull();
assertThat(config.getMaxAge()).isEqualTo(Long.valueOf(1800));
}
}