New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update SAMP hub web profile for Private Network Access #16193
Conversation
The CORS HTTP server handling localhost web profile requests now does header manipulation as required by the Private Network Access proposal (https://wicg.github.io/private-network-access/). At present, the effect is to prevent recent versions of Google Chrome (e.g. 122) from complaining "Ensure private network requests are only made to resources that allow them"; future versions of Chrome or possibly other browsers may block such requests.
Thank you for your contribution to Astropy! 🌌 This checklist is meant to remind the package maintainers who will review this pull request of some common things to look for.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Welcome to Astropy 👋 and congratulations on your first pull request! 🎉
A project member will respond to you as soon as possible; in the meantime, please have a look over the Checklist for Contributed Code and make sure you've addressed as many of the questions there as possible.
If you feel that this pull request has not been responded to in a timely manner, please send a message directly to the development mailing list. If the issue is urgent or sensitive in nature (e.g., a security vulnerability) please send an e-mail directly to the private e-mail feedback@astropy.org.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Does this need user doc update too, in addition to change log?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@saimn , what is our policy to put URL in change log again? We don't want to have to go back and fix history when it breaks in the future, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure but we already have a good number of URLs in the changelog so seems fine.
I would say no user documentation change is required, but I'm not sure what the policy is about that. The change affects compatibility with different browsers/browser versions. Users aren't going to notice a change in behaviour, but web SAMP might work with this change when it doesn't in previous versions. You can remove the URL from the change note if you want, I just thought that some traceability of the reason for the change would be useful. But I don't understand the W3C process that has created this proposed protocol change well enough to know how long-lived that document is expected to be, so it's possible that this link could become out of date at some point. |
Co-authored-by: P. L. Lim <2090236+pllim@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mbtaylor . This looks good to me.
I committed the Change Log URL format change. I think it's fine to have the URL there for now as it provides a quick jump to useful information in understanding this change. If the URL dies, the link text is still specific enough to be searchable.
I looked briefly into adding a test for the change, but backed off when:
- It wasn't immediately obvious to me how to adapt the existing test to check the preflight (OPTIONS) headers.
- I didn't look deeper because the relevant test is disabled in CI for flaky behavior
@pytest.mark.skipif(CI, reason="flaky in CI") - I did manually verify in Chrome the desired behavior.
Thanks, all! |
The CORS HTTP server handling localhost web profile requests now does header manipulation as required by the Private Network Access proposal (https://wicg.github.io/private-network-access/). At present, the effect is to prevent recent versions of Google Chrome (e.g. 122) from complaining "Ensure private network requests are only made to resources that allow them"; future versions of Chrome or possibly other browsers may block such requests.
Description
This pull request is to address ...
Fixes #