By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 CORS Server Sent Events http

0

How do I set "Access-Control-Allow-Private-Network": true,

Background: i have a esp32 that I do not want to run ssl on due to overhead. I have a static react app that uses SSE to get updates from the esp32. I want to host the static bundled react app on S3. This doesn't work because I can't connect to SSE. Oddly websockets are allowed and work fine.

the error in the chrome console is

index_test.html:1 Access to resource at 'http://192.168.1.90/events' from origin 'http://espels.s3.us-west-2.amazonaws.com' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `private`.
index_test.html:8 
        
        
GET http://192.168.1.90/events net::ERR_FAILED

I've tried to add "Access-Control-Allow-Private-Network": true to the CORS configuration of the s3 bucket but it isn't allowed.

Topics
Storage
Tags
Amazon Simple Storage ServiceAmazon S3 Access Grants
Language
English
rePost-User-3137753
asked 4 months ago285 views
3 Answers
0
Accepted Answer

Oops, I think I had this figurated wrong.

I was thinking the CORS request needed to be with the source of the static content... s3, but the ""Access-Control-Allow-Private-Network": true" needs to be sent from the esp32. Doh!

rePost-User-3137753
answered 4 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
0

hey,

the error is due to allowed origins, so you have enter your origin there or for testing purposes you can have * to allow all the origins. Note: you shouldn't have allowed origins:* in production.

Please check the CORS configuration to allow the origins here https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html

Let me know if you have any questions

profile picture
Bhuvan Prasad G
answered 4 months ago
  • rePost-User-3137753
    4 months ago

    I have allowed origins, here is my cors config

    
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "POST",
            "PUT",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*",
            "http://espels.s3-us-west-2.amazonaws.com",
            "https://espels.s3-us-west-2.amazonaws.com"
        ],
        "ExposeHeaders": [
            "ETag",
            "Accept-Ranges",
            "Content-Encoding",
            "Content-Length ",
            "Content-Range",
            "Access-Control-Allow-Private-Network"
        ],
        "MaxAgeSeconds": 3000
    }
]
0

This looks like the issue to me

Access to resource at 'http://192.168.1.90/events' from origin 'http://espels.s3.us-west-2.amazonaws.com'

Seems your page may have an iframe or some reference to a site on a private IP address via HTTP (192.168.1.90) and the browser is blocking this..

What is Private Network Access (PNA)

Private Network Access (formerly known as CORS-RFC1918) restricts the ability of websites to send requests to servers on private networks.

Chrome has already implemented part of the specification: as of Chrome 96, only secure contexts are allowed to make private network requests.

The specification also extends the Cross-Origin Resource Sharing (CORS) protocol so that websites must now explicitly request a grant from servers on private networks before being allowed to send arbitrary requests.

Key term: Private network requests are requests whose target server's IP address is more private than that from which the request initiator was fetched. For example, a request from a public website (https://example.com) to a private website (http://router.local), or a request from a private website to localhost.

profile picture
EXPERT
Gary Mclean
answered 4 months ago
  • rePost-User-3137753
    4 months ago

    yes, I want to access SSE (server sent events) on a esp32 "server" in my private network via insecure http. Chrome requires a preflight response for "Access-Control-Allow-Private-Network": true, but I don't know how to set that in my CORS configuration. Again, what is very odd is that websockets work fine and i get no CORS errors when using them with this setup.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content