I have a intranet webserver. It has no certs of any kind and is accessed via http. It is technically a public IP but has no public routing.
On this webserver, I have a single page application that needs to call an https api nodejs/express endpoint on a different server (that I also control). I just had to add the cors library and 'use' it:
app.use(cors())
This worked a month or so back.
Now, when I do this, I get the following error:
The request client is not a secure context and the resource is in more-private address space
private.
Searching, brought me here: Chrome CORS error on request to localhost dev server from remote site which effectively says "make your server https".
Additional answers indicate that adding a header: Access-Control-Allow-Private-Network: true would be all that is needed. This is backed up by the documentation here: https://wicg.github.io/private-network-access/#:~:text=The%20Access%2DControl%2DRequest%2D,safely%20shared%20with%20external%20networks indicating:
The Access-Control-Allow-Private-Network indicates that a resource can be safely shared with external networks.
I've tried this on the api server by adding
app.use((req, res, next) => {
res.setHeader("Access-Control-Allow-Private-Network", "true")
next();
})
right after my previously-added app.use(cors()) line.
This leaves me with:
const app = express()
app.use(express.urlencoded({ extended: true }))
app.use(cors())
app.use((req, res, next) => {
res.setHeader("Access-Control-Allow-Private-Network", "true")
next();
})
app.use(express.json())
app.use('/api', jobRouter);
This doesn't remove the error.
What needs to be done to allow my intranet non-http server to access an https server? I control both sides.
