Update SAMP hub web profile for Private Network Access

[mbtaylor]

The CORS HTTP server handling localhost web profile requests now does header manipulation as required by the Private Network Access proposal (https://wicg.github.io/private-network-access/). At present, the effect is to prevent recent versions of Google Chrome (e.g. 122) from complaining "Ensure private network requests are only made to resources that allow them"; future versions of Chrome or possibly other browsers may block such requests.

Description

This pull request is to address ...

Fixes #

• By checking this box, the PR author has requested that maintainers do NOT use the "Squash and Merge" button. Maintainers should respect this when possible; however, the final decision is at the discretion of the maintainer that merges the PR.

[github-actions]

Thank you for your contribution to Astropy! 🌌 This checklist is meant to remind the package maintainers who will review this pull request of some common things to look for.

• Do the proposed changes actually accomplish desired goals?
• Do the proposed changes follow the Astropy coding guidelines?
• Are tests added/updated as required? If so, do they follow the Astropy testing guidelines?
• Are docs added/updated as required? If so, do they follow the Astropy documentation guidelines?
• Is rebase and/or squash necessary? If so, please provide the author with appropriate instructions. Also see instructions for rebase and squash.
• Did the CI pass? If no, are the failures related? If you need to run daily and weekly cron jobs as part of the PR, please apply the "Extra CI" label. Codestyle issues can be fixed by the bot.
• Is a change log needed? If yes, did the change log check pass? If no, add the "no-changelog-entry-needed" label. If this is a manual backport, use the "skip-changelog-checks" label unless special changelog handling is necessary.
• Is this a big PR that makes a "What's new?" entry worthwhile and if so, is (1) a "what's new" entry included in this PR and (2) the "whatsnew-needed" label applied?
• At the time of adding the milestone, if the milestone set requires a backport to release branch(es), apply the appropriate "backport-X.Y.x" label(s) before merge.

[github-actions]

Welcome to Astropy 👋 and congratulations on your first pull request! 🎉

A project member will respond to you as soon as possible; in the meantime, please have a look over the Checklist for Contributed Code and make sure you've addressed as many of the questions there as possible.

If you feel that this pull request has not been responded to in a timely manner, please send a message directly to the development mailing list. If the issue is urgent or sensitive in nature (e.g., a security vulnerability) please send an e-mail directly to the private e-mail feedback@astropy.org.

[pllim]

Thanks!

Does this need user doc update too, in addition to change log?

[pllim]

@saimn , what is our policy to put URL in change log again? We don't want to have to go back and fix history when it breaks in the future, right?

[saimn]

Not sure but we already have a good number of URLs in the changelog so seems fine.

[mbtaylor]

I would say no user documentation change is required, but I'm not sure what the policy is about that. The change affects compatibility with different browsers/browser versions. Users aren't going to notice a change in behaviour, but web SAMP might work with this change when it doesn't in previous versions.

You can remove the URL from the change note if you want, I just thought that some traceability of the reason for the change would be useful. But I don't understand the W3C process that has created this proposed protocol change well enough to know how long-lived that document is expected to be, so it's possible that this link could become out of date at some point.

[tomdonaldson]

Thanks @mbtaylor . This looks good to me.

I committed the Change Log URL format change. I think it's fine to have the URL there for now as it provides a quick jump to useful information in understanding this change. If the URL dies, the link text is still specific enough to be searchable.

I looked briefly into adding a test for the change, but backed off when:

• It wasn't immediately obvious to me how to adapt the existing test to check the preflight (OPTIONS) headers.
• I didn't look deeper because the relevant test is disabled in CI for flaky behavior

  astropy/astropy/samp/tests/test_web_profile.py

  Line 28 in 62aaa29

  @pytest.mark.skipif(CI, reason="flaky in CI")

• I did manually verify in Chrome the desired behavior.

[pllim]

Thanks, all!