May 2022 - Google Chrome Private Network Access preflights

Dear Forest Admin community,

In light of upcoming Chrome browser updates, Forest Admin strongly encourages you to adapt your Forest Admin agent CORS configuration in order to keep your development environments up and running without service interruption.

Please note that the remote and production environments of your projects won’t be impacted by the change below and will continue to run without necessary intervention.

What is happening?

In the near future, with the release of Google Chrome 101, the Chrome browser will progressively deploy CORS for private network and block private network resource accesses without the expected CORS preflight response header (RFC1918).

Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server.


What consequences for Forest Admin users?

It basically means that, web clients using Chrome 101 might not be able to reach development environments targeting localhost from a web application (if the local server CORS configuration is not adapted properly).
As the targeted Chrome version for the release date is not precisely defined (was supposed to be April 2022), it might appear later on an upper Chrome version.

Which projects will be impacted?

This change will break data consumption in all existing development environments targeting private networks, whatever the running Forest Admin agent versions.


To allow Forest Admin web clients to reach your localhost development, and thus, prevent service interruption, Forest Admin project administrators and developers will need to adapt the CORS configuration of their agent in their development environments. You’ll find below the Google’s description to handle this:

Please find and pick below the section that corresponds to the way your project is connected to Forest Admin and follow the dedicated information:

Admin microservice architecture

Upgrade your agent dependency to the one mentioned below.
You may also need to add the following middleware in order to be fully compatible with this header.

In app.js, add this code just before app.use(morgan("tiny"));

app.use(function (req, res, next) {
  if (req.headers["access-control-request-private-network"]) {
    res.setHeader("access-control-allow-private-network", "true");

Express Mongoose & Express Sequelize agent running a version lower than v8

You should also be able to use the middleware provided above.
Please also consider upgrading to v8 to benefit from the fixed packages, as well as new features!

Express Mongoose agent already running on v8

npm install forest-express-mongoose@latest
The compatible version of the agent is >= 8.6.8

Express Sequelize agent already running on v8

npm install forest-express-sequelize@latest
The compatible version of the agent is >= 8.5.5

Ruby on Rails agent already running on v7

bundle update forest_liana
The compatible version of the agent is >= 7.6.0

Ruby on Rails agent already running a version lower than v7

In config/initializers/forest_liana.rb, add the following code:

module Rack
  class Cors
    class Resource
      def to_preflight_headers(env)
        h = to_headers(env)
        h['Access-Control-Allow-Private-Network'] = 'true' if env['HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK'] == 'true'
          h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])

Django agent

pip install --upgrade django-forestadmin
The compatible version of the agent is >= 1.3.0

Laravel agent

composer update forestadmin/laravel-forestadmin
The compatible version of the agent is >= v1.0.0-beta.18

Any other alternative?

In a temporary situation, although Forest Admin does not recommend this approach, a possibility will be for our users to deactivate the Chrome feature flag that send Private Network Access preflights until they have completed their Forest Admin agent update.

To do so:

  • access the Chrome flags, typing chrome://flags/#private-network-access-send-preflights in the URL bar
  • set the flag as “disabled”

A second alternative would be to use another browser that does not introduce this breaking change for development environments.