Re: Can't fetch https: from chrome-extension:

[PhistucK]

Interesting... Have you tried to go to localhost yourself (as a top level window/tab/frame) and accept any security warning you get (I assume you are using self-signed certificates)?

I see you use the treat-insecure-... flag, did you specify an origin as its value (--unsafely-treat-insecure-origin-as-secure="http://example.com" and maybe there are some port games to be played there, too)?

Also there is the more generic and big hammer, --disable-web-security...

☆PhistucK

On Tue, Dec 20, 2022 at 6:35 AM guest271314 <guest...@gmail.com> wrote:

I think the issue is https://developer.chrome.com/blog/private-network-access-update/.

    const server = Deno.listenTls({
      port: 8443,
      certFile: 'certificate.pem',
      keyFile: 'certificate.key',
      alpnProtocols: ['h2', 'http/1.1'],
    });
    // ...
    requestEvent.respondWith(
      new Response(body, {
        headers: {
          'Content-Type': 'application/octet-stream',
          'Cross-Origin-Opener-Policy': 'unsafe-none',
          'Cross-Origin-Embedder-Policy': 'unsafe-none',
          'Access-Control-Allow-Origin': '*',
          'Content-Security-Policy': 'treat-as-public-address',
          'Access-Control-Allow-Private-Network': 'true',
          'Access-Control-Allow-Headers':
            'Access-Control-Request-Private-Network',
          'Access-Control-Allow-Methods': 'OPTIONS,POST,GET,HEAD',
        },
      })

I am serving the correct headers, and enabled and disabled the correct flags that I am aware of --allow-insecure-localhost --unsafely-treat-insecure-origin-as-secure --disable-features=BlockInsecurePrivateNetworkRequests.

fetch('https://localhost:8443', {mode: 'cors', method:'post', body: JSON.stringify('test'), headers: {'Access-Control-Request-Private-Network': 'true'}})
.then((r) => r)
.then(console.log)
.catch(console.error);

Still getting

Access to fetch at 'https://localhost:8443/' from origin 'chrome-extension://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.

What do I need to do to fetch https://localhost from a local Chromium extension?

--
You received this message because you are subscribed to the Google Groups "blink-network-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-network-...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-network-dev/b96fe016-a01a-4650-8b67-36877fa1677cn%40chromium.org.

[guest271314]

I solved the issue by setting "host_permissions" to "<all_urls>" in the extension manifest.json.