Closed yoavweiss closed 5 months ago
Private Network Access will always triggered a preflight. Request and response should contain Access-Control-Request-Private-Network
and Access-Control-Allow-Private-Network
headers, otherwise it will be denied.
Sorry if I didn't make it clear in the explainer, the permission prompt is an add-on for PNA requests need to bypass mixed content checkers.
OK. Great to hear a preflight and an opt-in is always required!!
In the explainer it's mentioned that the opt-in headers will be used by the permission prompt in case of a preflight. What happens if the request to the device doesn't require a preflight? (e.g. it only uses safe methods and headers)
Would that trigger the same case as ephemeral permission?
Personally, I think it might be safer to always trigger a preflight in case of mixed content private network access, and require the opt-in headers for that to be enabled. Was this considered and dismissed for some reason?