Add allow_private_network in CORSMiddleware#3065
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for Private Network Access (PNA) to the CORS middleware by implementing the allow_private_network configuration parameter. This enables servers to control whether cross-origin requests from public networks to private networks are permitted.
Key changes:
- Added
allow_private_networkparameter toCORSMiddlewareconstructor - Implemented PNA header handling in preflight responses
- Fixed a typo in test comment ("diallowed" → "disallowed")
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| starlette/middleware/cors.py | Added allow_private_network parameter, type annotations for dict variables, and logic to handle Access-Control-Request-Private-Network header in preflight requests |
| tests/middleware/test_cors.py | Fixed typo in comment, added comprehensive tests for PNA allowed and disallowed scenarios |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Zaczero
left a comment
Zaczero
left a comment
There was a problem hiding this comment.
I think we want to Vary: Access-Control-Request-Private-Network, just like we currently do for Origin. Conditionally added whenever allow_private_network is set.
But then, are you saying we should also add for the The Django and Flask CORS do not add it to the Vary - this doesn't mean they are right, just a data point. But can you find a reference or justify it? |
|
My logic is that Vary makes it explicit to the caches that the same request will have a different response based on the headers sent. And this is the case here. When the request header is sent, it will have different response headers, so the response varies on that.
To my limited knowledge on this topic, Vary seems like it will make the implementation more correct (doesn't mean it's necessary). We already Vary on Origin so the intention is that we want to support caching OPTIONS responses. May as well expand Vary to cover all varying headers. |
|
But then, should the other access headers be also included? I'm having an inclination to not do it, unless someone did it in any other CORS implementation (in any framework from any language). |
|
From the stackoverflow it explicitly mentions https://github.com/rs/cors as having this behavior. I haven't searched more. If this decision was up to me, I would ensure Vary contains all varying headers correctly. The cost is little, and when someone decides to cache OPTIONS responses the setup will be simpler and less bug-prone. It would make the app more explicit about cache handling which is a good thing. AI research on this: https://claude.ai/public/artifacts/860f4896-69c0-4416-8066-ff9bd73c1a37
|
|
@Zaczero I'll merge this as is, because the This https://github.com/rs/cors has a beautiful code. Super easy to understand. 👍 |
Reference used for this PR: