CORS error on request to localhost dev server from remote site

by

Original Answer

I finally found the answer, in this RFC about CORS-RFC1918 from a Chrome-team member. To sum it up, Chrome has implemented CORS-RFC1918, which prevents public network resources from requesting private-network resources – unless the public-network resource is secure (HTTPS) and the private-network resource provides appropriate (yet-undefined) CORS headers.

There’s also a Chrome flag you can change to disable the new behavior for now:
chrome://flags/#block-insecure-private-network-requests

Disabling that flag does mean you’re re-opening the security hole that Chrome’s new behavior is meant to close.

Update 2021: A few months after I posted this question, the flag I referenced in my original answer was removed, and instead of disabling a security feature I was forced to solve the problem more satisfactorily by serving assets over HTTPS.

Update 2022: Chrome 98 is out, and it introduces support for Preflight requests. According to the announcement, failed requests are supposed to produce a warning and have no other effect, but in my case they are full errors that break my development sites. So I had to add middleware to teach webpack-dev-server how to serve preflight requests.

Private Network Access (formerly CORS-RFC1918) is a specification that forbids requests from less private network resources to more private network resources. Like HTTP to HTTPS, or a remote host to localhost.

The ultimate solution was to add a self-signed certificate and middleware which enabled requests from my remote dev server to my localhost webpack-dev-server for assets.

Generate certificates

cd path/to/.ssl
npx mkcert create-cert

Configure webpack-dev-server to use certificates and serve preflight requests

module.exports = {
  //...
  devServer: {
    https: {
      key: readFileSync("./.ssl/cert.key"),
      cert: readFileSync("./.ssl/cert.crt"),
      cacert: readFileSync("./.ssl/ca.crt"),
    },

    allowedHosts: ".example.dev", // should match host in origin below
    setupMiddlewares(middlewares, devServer) {
      // Serve OPTIONS requests
      devServer.app.options('*', (req, res) => {
        // Only serve if request has expected origin header
        if (/^https:\/\/example\.dev$/.test(req.headers.origin)) {
          res.set({
            "Access-Control-Allow-Credentials": "true",
            "Access-Control-Allow-Private-Network": "true",
            // Using * results in error if request includes credentials
            "Access-Control-Allow-Origin": req.headers.origin,
          })

          res.sendStatus(200)
        }
      }

      return middlewares
    }
  }
}

Trust certificates

  1. Right click ca.crt in Windows Explorer and select Install Certificate
  2. Select Current User.
  3. Choose Place all certificates in the following store, then Browse…, and select Trusted Root Certification Authorities.
  4. Finish.

Firefox-specific instructions

Firefox doesn’t respect your authoritah! by default. Configure it to do so with these steps:

  1. Type about:config into the address bar
  2. Search for security.enterprise_roots.enabled
  3. Toggle the setting to true

More Related Contents:

  1. Chrome CORS error on request to localhost dev server from remote site
  2. Chrome not showing OPTIONS requests in Network tab
  3. How to stop CORB from blocking requests to data resources that respond with CORS headers?
  4. Chrome cancels CORS XHR upon HTTP 302 redirect
  5. Cross-origin request in a content script is blocked by CORB despite the correct CORS headers
  6. How to make a cross-origin request in a content script (currently blocked by CORB despite the correct CORS headers)?
  7. Does –disable-web-security work in Chrome?
  8. CORS issue doesn’t occur when using POSTMAN
  9. Chrome v37/38 CORS failing (again) with 401 for OPTIONS pre-flight requests
  10. How to resolve ‘preflight is invalid (redirect)’ or ‘redirect is not allowed for a preflight request’
  11. Start an external application from a Google Chrome Extension?
  12. Chrome Extension Content Script on https://chrome.google.com/webstore/
  13. Server terminated early with status 1 error with Selenium for ChromeDriver and Chrome Browser and the log message “Only local connections are allowed”
  14. Chrome Extension: how to capture selected text and send to a web service
  15. HTML5 video will not loop
  16. How can I get the current tab URL for chrome extension?
  17. What does it mean if console.log(4) outputs undefined in Chrome Console?
  18. Font Awesome icons not showing in Chrome, a MaxCDN related Cross-Origin Resource Sharing policy issue
  19. What are proper status codes for CORS preflight requests?
  20. Chrome: Source of Post Data?
  21. Not able to maximize Chrome Window in headless mode
  22. Increasing Google Chrome’s max-connections-per-server limit to more than 6
  23. HTML 5 Video “autoplay” not automatically starting in CHROME
  24. How does Netflix prevent users from taking screenshots of chrome browser?
  25. Chrome developer tools workspace mappings
  26. CSS3 – How to style the selected text in textareas and inputs in Chrome?
  27. Chrome displays different object contents on expand
  28. Duplicate headers received from server
  29. How to keep a flex item from overflowing due to its text? [duplicate]
  30. How to checkout and BUILD specific chromium tag/branch without download the FULL source code of all history?

Leave a Comment