CORS for private networks (RFC1918) warning on call to local service

Question

I have a webapp which communicate with a local app installed by making fetch json call.

My webapp is hosted in https

The local app, writed in .net 5, run a embed web server which listen on the 5001 port, on http because we don't want install a certificate on the client pc

UPDATE : i try to put a certificate and make the call by https but i still have this warning. The certificate is installed correctly on the client machine

so the webapp call the local app by this manner : http://localhost:5001/api/MyService

on this type of call, on chrome 96 and since several version, i have this warning

Ensure private network requests are only made to resources that allow them
A site requested a resource from a network that it could only access because of its users' privileged network position. These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.
To mitigate these risks, a future version of Chrome will require non-public subresources to opt-into being accessed with a preflight request.
To fix this issue, ensure that response to the preflight request for the private network resource has the Access-Control-Allow-Private-Network header set to true.
Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites.
https://developer.chrome.com/blog/private-network-access-update?utm_source=devtools

I apply what they said, and added the Access-Control-Allow-Private-Network at the reponse, but i still have this warning.

the request are made in javascript with fetch

    const response = await fetch(lUrl, {
                        method: "GET",
                        headers: {
                            //'Accept': 'application/json',
                            //'Content-Type': 'application/json',
                            'Access-Control-Request-Private-Network': 'true'
                        }
                    });

The local server seem to be correctly configured in terms of CORS

 app.Use(async (context, next) =>
            {
                //a bien mettre avant le usecors, car on veut que ce soit setté en response de la preflight
                context.Response.Headers.Add("Access-Control-Allow-Private-Network", "true");
                await next();
            });

app.UseCors(builder => builder
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader());

Now, i don't know what to try

Below an example of the preflight and the request (which generate a warning each)

Preflight

General

Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: OPTIONS
Status Code: 204 
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin

Response

access-control-allow-headers: access-control-request-private-network
access-control-allow-methods: GET
access-control-allow-origin: *
access-control-allow-private-network: true
date: Mon, 13 Dec 2021 11:25:28 GMT
server: Kestrel

Request

:authority: localhost:5101
:method: OPTIONS
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-headers: access-control-request-private-network
access-control-request-method: GET
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Request itself

General

Request URL: https://localhost:5101/api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
Request Method: GET
Status Code: 200 
Remote Address: 127.0.0.1:5101
Referrer Policy: strict-origin-when-cross-origin

Response 

access-control-allow-origin: *
access-control-allow-private-network: true
content-type: application/json; charset=utf-8
date: Mon, 13 Dec 2021 11:25:35 GMT
server: Kestrel

Request

:authority: localhost:5101
:method: GET
:path: /api/GetDataVitale?pLogXmlFileIns=false&pUseProdIns=false&pLpsNumInstance=f94b3bcf-4c55-431f-9fc1-5c259a821453&pAction=NVOW&pPathTmp=TEMP%5C&pWithIns=true
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
access-control-request-private-network: true
cache-control: no-cache
origin: https://mydomain:7515
pragma: no-cache
referer: https://mydomain:7515/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Thanks for your help

Answer 1

the subject was finally checked directly with chromium team on this thread https://bugs.chromium.org/p/chromium/issues/detail?id=1279700#c1

It seem i have this warning only because i have the experimental web platform features activated. This subject will be treat starting chrome 98 so for now this warning is not relevant.

Lets see what happen starting chrome 98