Adding PNA Access-Control-Allow-Private-Network header in responses to preflight requests #56359

azagarelz · 2025-05-19T20:55:11Z

azagarelz
May 19, 2025

Hello,

My application makes requests to a few private resources, and Chrome expects to send preflight requests carrying the Access-Control-Request-Private-Network request header and receiving back Access-Control-Allow-Private-Network header in responses to confirm these requests are safe.

Unfortunately, the Istio CORS policy field in the VirtualService doesn’t support adding the Access-Control-Allow-Private-Network header, and using the headers property to add it also doesn’t work.
I tried using a VirtualService attached to a Gateway, in case that helps.

See https://developer.chrome.com/blog/private-network-access-preflight for more info about PNA preflights.

Is there another way to add the header I need in a request handled by the Istio CORS policy?

rsalmond · 2025-05-26T15:52:13Z

rsalmond
May 26, 2025
Collaborator

using the headers property to add it also doesn’t work

That's weird. Can you add other headers but not Access-Control-Allow-Private-Network or does it fail when you try to add any header?

2 replies

azagarelz May 26, 2025
Author

I cannot add any headers when the request is handled by https://istio.io/latest/docs/reference/config/networking/virtual-service/#CorsPolicy.

My current configuration looks like:

kind: VirtualService
metadata:
  name: service-gateway
  namespace: service
spec:
  gateways:
    - istio-system/service-gateway
  hosts:
    - somehost
  http:
    - corsPolicy:
        allowHeaders:
          - accept
          - authorization
          - x-requested-with
          - Content-Type
          - Access-Control-Request-Private-Network
        allowMethods:
          - GET
          - POST
          - PUT
          - DELETE
          - OPTIONS
        allowOrigins:
          - exact: '*'
        maxAge: 1h
        unmatchedPreflights: IGNORE
      headers:
        response:
          add:
            Access-Control-Allow-Private-Network: 'true'
      match:
        - uri:
            regex: /servicepath(/|$)(.*)
      route:
        - destination:
            host: service.service.svc.cluster.local
            port:
              number: 80

g-chcht Aug 8, 2025

Hello,

That's also my experience. Adding or setting header does not apply to CORS requests manage by corsPolicy.

You need to use a more complicated EnvoyFilter with a merge operation.

I strongly support the original request. It should be a field of https://istio.io/latest/docs/reference/config/networking/virtual-service/#CorsPolicy and it is much needed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Adding PNA Access-Control-Allow-Private-Network header in responses to preflight requests #56359

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Adding PNA Access-Control-Allow-Private-Network header in responses to preflight requests #56359

Uh oh!

Uh oh!

azagarelz May 19, 2025

Replies: 1 comment · 2 replies

Uh oh!

rsalmond May 26, 2025 Collaborator

Uh oh!

Uh oh!

azagarelz May 26, 2025 Author

Uh oh!

g-chcht Aug 8, 2025

azagarelz
May 19, 2025

Replies: 1 comment 2 replies

rsalmond
May 26, 2025
Collaborator

azagarelz May 26, 2025
Author