firebase · bkendall · Sep 20, 2022 · Mar 16, 2022 · Mar 16, 2022 · Mar 16, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,3 +2,4 @@
 - Refactor mechanism for invoking function triggers (#4886).
 - Add support for `HTTP_PROXY` and `HTTPS_PROXY` environment variables to `crashlytics:mappingfile:upload` and `crashlytics:symbols:upload` commands (#4604).
 - Fix Emulators not shutting down / exporting correctly when CLI update available (#4981).
+- Adds `access-control-allow-private-network=true` header to Auth and Storage emulators. Enables accessing at localhost:port when site is exposed via tunnel (#4227).
diff --git a/src/emulator/auth/server.ts b/src/emulator/auth/server.ts
@@ -120,6 +120,18 @@ export async function createApp(
 ): Promise<express.Express> {
   const app = express();
   app.set("json spaces", 2);
+
+  // Retrun access-control-allow-private-network heder if requested
+  // Enables accessing locahost when site is exposed via tunnel see https://github.com/firebase/firebase-tools/issues/4227
+  // Aligns with https://wicg.github.io/private-network-access/#headers
+  // Replace with cors option if adopted, see https://github.com/expressjs/cors/issues/236
+  app.use("/", (req, res, next) => {
+    if (req.headers["access-control-request-private-network"]) {
+      res.setHeader("access-control-allow-private-network", "true");
+    }
+    next();
+  });
+
   // Enable CORS for all APIs, all origins (reflected), and all headers (reflected).
   // This is similar to production behavior. Safe since all APIs are cookieless.
   app.use(cors({ origin: true }));

diff --git a/src/emulator/storage/server.ts b/src/emulator/storage/server.ts
@@ -25,6 +25,17 @@ export function createApp(
     `Temp file directory for storage emulator: ${storageLayer.dirPath}`
   );
 
+  // Retrun access-control-allow-private-network header if requested
+  // Enables accessing locahost when site is exposed via tunnel see https://github.com/firebase/firebase-tools/issues/4227
+  // Aligns with https://wicg.github.io/private-network-access/#headers
+  // Replace with cors option if adopted, see https://github.com/expressjs/cors/issues/236
+  app.use("/", (req, res, next) => {
+    if (req.headers["access-control-request-private-network"]) {
+      res.setHeader("access-control-allow-private-network", "true");
+    }
+    next();
+  });
+
   // Enable CORS for all APIs, all origins (reflected), and all headers (reflected).
   // This is similar to production behavior. Safe since all APIs are cookieless.
   app.use(

diff --git a/src/test/emulators/auth/rest.spec.ts b/src/test/emulators/auth/rest.spec.ts
@@ -17,6 +17,7 @@ describeAuthEmulator("REST API mapping", ({ authApi }) => {
       .options("/")
       .set("Origin", "example.com")
       .set("Access-Control-Request-Headers", "Authorization,X-Client-Version,X-Whatever-Header")
+      .set("Access-Control-Request-Private-Network", "true")
       .then((res) => {
         expectStatusCode(204, res);
 
@@ -29,6 +30,10 @@ describeAuthEmulator("REST API mapping", ({ authApi }) => {
           "X-Client-Version",
           "X-Whatever-Header",
         ]);
+
+        // Check that access-control-allow-private-network = true
+        // Enables accessing locahost when site is exposed via tunnel see https://github.com/firebase/firebase-tools/issues/4227
+        expect(res.header["access-control-allow-private-network"]).to.eql("true");
       });
   });