Allow connections from webpages via private network access CORS

This is required when using the UI in some very recent Chrome releases.

Author: pimterry

src/api-server.ts

@@ -288,6 +288,16 @@ export class HttpToolkitServerApi extends events.EventEmitter {
         this.server = express();
         this.server.disable('x-powered-by');
 
+        // Allow web pages on non-local URLs (app.httptoolkit.tech, not localhost) to
+        // send requests to this admin server too. Without this, those requests will
+        // fail after rejected preflights in recent Chrome (from ~v102, ish? Unclear).
+        this.server.use((req, res, next) => {
+            if (req.headers["access-control-request-private-network"]) {
+                res.setHeader("access-control-allow-private-network", "true");
+            }
+            next(null);
+        });
+
         this.server.use(cors({
             origin: ALLOWED_ORIGINS,
             maxAge: 86400 // Cache this result for as long as possible

src/index.ts

@@ -121,7 +121,8 @@ export async function runHTK(options: {
         corsOptions: {
             strict: true, // For the standalone admin API, require valid CORS headers
             origin: ALLOWED_ORIGINS, // Only allow requests from our origins, to avoid XSRF
-            maxAge: 86400 // Cache CORS responses for as long as possible
+            maxAge: 86400, // Cache CORS responses for as long as possible
+            allowPrivateNetworkAccess: true // Allow access from non-local domains in Chrome 102+
         },
         webSocketKeepAlive: 20000, // Send a keep-alive ping to Mockttp clients every minute
         ruleParameters // Rule parameter dictionary