Add Local Network Access support (#833)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Adam Johnson <[email protected]>
Co-authored-by: Issac Kelly <[email protected]>

Author: 4 people

CHANGELOG.rst

@@ -14,6 +14,8 @@ Changelog
 
 * Add async support to the middleware, reducing overhead on async views.
 
+* Add ``CORS_ALLOW_PRIVATE_NETWORK_ACCESS`` setting, which enables support for the Local Network Access draft specification.
+
 3.14.0 (2023-02-25)
 -------------------
 

README.rst

@@ -300,6 +300,17 @@ Change the setting to ``'None'`` if you need to bypass this security restriction
 
 .. _SESSION_COOKIE_SAMESITE: https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SESSION_COOKIE_SAMESITE
 
+``CORS_ALLOW_PRIVATE_NETWORK: bool``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If ``True``, allow requests from sites on “public” IP to this server on a “private” IP.
+In such cases, browsers send an extra CORS header ``access-control-request-private-network``, for which ``OPTIONS`` responses must contain ``access-control-allow-private-network: true``.
+
+Refer to:
+
+* `Local Network Access <https://wicg.github.io/local-network-access/>`__, the W3C Community Draft specification.
+* `Private Network Access: introducing preflights <https://developer.chrome.com/blog/private-network-access-preflight/>`__, a blog post from the Google Chrome team.
+
 CSRF Integration
 ----------------
 

src/corsheaders/checks.py

@@ -38,6 +38,14 @@ def check_settings(**kwargs: Any) -> list[CheckMessage]:
             Error("CORS_ALLOW_CREDENTIALS should be a bool.", id="corsheaders.E003")
         )
 
+    if not isinstance(conf.CORS_ALLOW_PRIVATE_NETWORK, bool):
+        errors.append(  # type: ignore [unreachable]
+            Error(
+                "CORS_ALLOW_PRIVATE_NETWORK should be a bool.",
+                id="corsheaders.E015",
+            )
+        )
+
     if (
         not isinstance(conf.CORS_PREFLIGHT_MAX_AGE, int)
         or conf.CORS_PREFLIGHT_MAX_AGE < 0

src/corsheaders/conf.py

@@ -32,6 +32,10 @@ def CORS_ALLOW_METHODS(self) -> Sequence[str]:
     def CORS_ALLOW_CREDENTIALS(self) -> bool:
         return getattr(settings, "CORS_ALLOW_CREDENTIALS", False)
 
+    @property
+    def CORS_ALLOW_PRIVATE_NETWORK(self) -> bool:
+        return getattr(settings, "CORS_ALLOW_PRIVATE_NETWORK", False)
+
     @property
     def CORS_PREFLIGHT_MAX_AGE(self) -> int:
         return getattr(settings, "CORS_PREFLIGHT_MAX_AGE", 86400)

src/corsheaders/middleware.py

@@ -21,6 +21,8 @@
 ACCESS_CONTROL_ALLOW_HEADERS = "access-control-allow-headers"
 ACCESS_CONTROL_ALLOW_METHODS = "access-control-allow-methods"
 ACCESS_CONTROL_MAX_AGE = "access-control-max-age"
+ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK = "access-control-request-private-network"
+ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK = "access-control-allow-private-network"
 
 
 class CorsMiddleware:
@@ -129,6 +131,12 @@ def add_response_headers(
             if conf.CORS_PREFLIGHT_MAX_AGE:
                 response[ACCESS_CONTROL_MAX_AGE] = str(conf.CORS_PREFLIGHT_MAX_AGE)
 
+        if (
+            conf.CORS_ALLOW_PRIVATE_NETWORK
+            and request.headers.get(ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK) == "true"
+        ):
+            response[ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK] = "true"
+
         return response
 
     def origin_found_in_white_lists(self, origin: str, url: SplitResult) -> bool:

tests/test_checks.py

@@ -52,6 +52,10 @@ def test_cors_allow_methods_non_string(self):
     def test_cors_allow_credentials_non_bool(self):
         self.check_error_codes(["corsheaders.E003"])
 
+    @override_settings(CORS_ALLOW_PRIVATE_NETWORK=object)
+    def test_cors_allow_network_access_non_bool(self):
+        self.check_error_codes(["corsheaders.E015"])
+
     @override_settings(CORS_PREFLIGHT_MAX_AGE="10")
     def test_cors_preflight_max_age_non_integer(self):
         self.check_error_codes(["corsheaders.E004"])

tests/test_middleware.py

@@ -11,6 +11,7 @@
 from corsheaders.middleware import ACCESS_CONTROL_ALLOW_HEADERS
 from corsheaders.middleware import ACCESS_CONTROL_ALLOW_METHODS
 from corsheaders.middleware import ACCESS_CONTROL_ALLOW_ORIGIN
+from corsheaders.middleware import ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK
 from corsheaders.middleware import ACCESS_CONTROL_EXPOSE_HEADERS
 from corsheaders.middleware import ACCESS_CONTROL_MAX_AGE
 from tests.utils import prepend_middleware
@@ -94,6 +95,41 @@ def test_get_dont_allow_credentials(self):
         resp = self.client.get("/", HTTP_ORIGIN="https://example.com")
         assert ACCESS_CONTROL_ALLOW_CREDENTIALS not in resp
 
+    @override_settings(CORS_ALLOW_PRIVATE_NETWORK=True, CORS_ALLOW_ALL_ORIGINS=True)
+    def test_allow_private_network_added_if_enabled_and_requested(self):
+        resp = self.client.get(
+            "/",
+            HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK="true",
+            HTTP_ORIGIN="http://example.com",
+        )
+        assert resp[ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK] == "true"
+
+    @override_settings(CORS_ALLOW_PRIVATE_NETWORK=True, CORS_ALLOW_ALL_ORIGINS=True)
+    def test_allow_private_network_not_added_if_enabled_and_not_requested(self):
+        resp = self.client.get("/", HTTP_ORIGIN="http://example.com")
+        assert ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK not in resp
+
+    @override_settings(
+        CORS_ALLOW_PRIVATE_NETWORK=True,
+        CORS_ALLOWED_ORIGINS=["http://example.com"],
+    )
+    def test_allow_private_network_not_added_if_enabled_and_no_cors_origin(self):
+        resp = self.client.get(
+            "/",
+            HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK="true",
+            HTTP_ORIGIN="http://example.org",
+        )
+        assert ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK not in resp
+
+    @override_settings(CORS_ALLOW_PRIVATE_NETWORK=False, CORS_ALLOW_ALL_ORIGINS=True)
+    def test_allow_private_network_not_added_if_disabled_and_requested(self):
+        resp = self.client.get(
+            "/",
+            HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK="true",
+            HTTP_ORIGIN="http://example.com",
+        )
+        assert ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK not in resp
+
     @override_settings(
         CORS_ALLOW_HEADERS=["content-type"],
         CORS_ALLOW_METHODS=["GET", "OPTIONS"],