Postgrest does not implement CORS-RFC1918, which has impact on local operations #4408
Description
Environment
- PostgreSQL version: public.ecr.aws/supabase/postgres 17.6.1.008
- PostgREST version: public.ecr.aws/supabase/postgrest v13.0.5
- Operating system: macOS Tahoe 26.0.1
- Chrome version: 141.0.7390.108
Description of issue
I have a case of a web application calling my local Postgrest in local supabase development.
Chrome new requires setting the Access-Control-Request-Private-Network /Access-Control-Allow-Private-Network header pair, according to https://wicg.github.io/private-network-access/#headers
So when I send the preflight request (having added the Access-Control-Request-Private-Network: true), which looks like
curl 'http://127.0.0.1:54321/rest/v1/Space?select=*&url=eq.https%3A%2F%2Froamresearch.com%2F%23%2Fapp%2Fdiscourse-graphs' \
-X 'OPTIONS' \
-H 'Accept: */*' \
-H 'Accept-Language: en-CA,en;q=0.9,fr-CA;q=0.8,fr;q=0.7,it;q=0.6,pt-BR;q=0.5,pt;q=0.4' \
-H 'Access-Control-Request-Headers: accept-profile,apikey,authorization,x-client-info' \
-H 'Access-Control-Request-Method: GET' \
-H 'Access-Control-Request-Private-Network: true' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Origin: https://roamresearch.com' \
-H 'Pragma: no-cache' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: cross-site' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36'
I do not get the Access-Control-Allow-Private-Network: true header in response, and Chrome blocks the request.
Though I am not a Haskell coder, I saw that you use wai-cors and also created an issue there.
larskuhtz/wai-cors#38
However, I am not 100% sure that this path is handled by wai-cors, and I thought it should be raised here as well.