CORS preflight描述
Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification.
Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.
The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. These attacks have affected hundreds of thousands of users, allowing attackers to redirect them to malicious servers.Google Chrome preflight12
通过注册表禁止浏览器使用preflight策略
1.Alt+R 或者Command+R 打开运行框,运行“regedit”以打开 Windows 注册表
2.InsecurePrivateNetworkRequestsAllowed = 1写入注册表
说明:新增机码创建目录 Google /Chrome ,新增DWORD创建InsecurePrivateNetworkRequestsAllowed
以Chrome 浏览器为例,其它浏览器相似。在Window系统写入注册表的信息如下:
Registry Hive: HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path: Software\Policies\Google\Chrome
Value Name: InsecurePrivateNetworkRequestsAllowed
Value Type: REG_DWORD
Enabled Value: 1
Disabled Value: 0
在MAC系统执行如下脚本:
defaults write com.google.Chrome InsecurePrivateNetworkRequestsAllowed -bool true
3.重启浏览器生效