Hi,
Now when chrome 102 is out I wanted to test it so I ran it with 
*--enable-features=PrivateNetworkAccessRespectPreflightResults*
There's one thing I'm trying to understand,
I have an HTML page with a script tag, the src of this tag points to a more 
private network, the default behavior of script tags is not to trigger CORS 
and since v102 they do trigger it which is expected.
My question is:
I'm getting this error: *"Response to preflight request doesn't pass access 
control check: The value of the 'Access-Control-Allow-Credentials' header 
in the response is '' which must be 'true' when the request's credentials 
mode is 'include'."*
I never asked to send credentials in my script tag, I guess I can force not 
send it by adding *crossorigin="" *to the tag but shouldn't the default 
behavior be not to send it with credentials?
On Saturday, May 28, 2022 at 12:47:02 AM UTC+3 Andrew Boeger wrote:

> Hi all -
>
> Just want to call out that this assumption...
> Chrome 102 should also not break anything, since we are sending preflights 
> in warning-only mode. If the preflight fails, a warning is displayed in 
> DevTools but the request proceeds as before
> ... turned out to be false.
>
> The change recently deployed DOES break things. It has broken our internal 
> admin tool our CS teams use to manage customer accounts. 
>
> Bug opened here > 
> https://bugs.chromium.org/p/chromium/issues/detail?id=1329248
>
> In meantime, I have my users moving to other browsers because this has 
> broken a critical function for them. 
>
> On Wednesday, April 20, 2022 at 3:47:36 AM UTC-5 Titouan Rigoudy wrote:
>
>> Hi there,
>>
>> John: that's due to another facet of Private Network Access (not this 
>> intent) that started a deprecation trial in Chrome 94. See 
>> https://chromestatus.com/feature/5436853517811712. Unless signed up for 
>> the deprecation trial, HTTP websites are no longer allowed to make any 
>> requests to private servers.
>>
>> Martin: there will be no breaking change in Chrome 101. I need to update 
>> the blog post to make the new timeline clearer.
>>
>> Chrome 102 should also not break anything, since we are sending 
>> preflights in warning-only mode. If the preflight fails, a warning is 
>> displayed in DevTools but the request proceeds as before. As explained 
>> above, this will remain the case until at least Chrome 105, at which point 
>> we may turn on enforcement: when a preflight fails, the request should not 
>> be sent and fail. That remains subject to compatibility risk evaluation.
>>
>> Cheers,
>> Titouan
>>
>> On Wed, Apr 20, 2022 at 3:06 AM Martin H <mrtn...@gmail.com> wrote:
>>
>>> Hi Titouan, Blink Devs,
>>>
>>> Thank you for this news above. 
>>> I work for a software vendor affected by this change, our software 
>>> installs a small (https://localhost:60500) web server on a users local 
>>> machine and our https:// SAAS web application connects  to this to hand off 
>>> various features
>>> We were under the impression this change was to occur in Chrome 101 and 
>>> have been moving to that timeline rapidly but reading the above I 
>>> understand this has changed (confusingly though much of the documentation 
>>> online still carries older dates and talks about the change as early as 101 
>>> or 102. )
>>>
>>> Should I now understand that *if* this makes Chrome 102 as hoped, you 
>>> will have 3 mile stone releases (aka 102, 103, 104 ) with an intent to ship 
>>> "private network access" changes in 105?  
>>> I would understand it's just an estimate based on feedback around this 
>>> change but as it stands our business is anticipating change as early as 
>>> next week as this is when 101 was due to ship production. 
>>> it would therefore be extremely beneficial if we understand we have more 
>>> time to work with customers around this, we have produced updated compliant 
>>> local components on our end and released this in the past few weeks but as 
>>> you might expect we need time to address this with every single one of our 
>>> customers, as Chromium based browsers form the overwhelming majority of 
>>> users. 
>>>
>>> Ultimately my requirement is to advise customers on the change as best 
>>> as possible, including how to ensure the change is not deployed as some 
>>> will need time to update their entire fleets. 
>>> When I install Chrome dev 102 build, it seems like our software still 
>>> works as is today. I assume as it's not on yet. Would someone be able to 
>>> state which flags I should enable to replicate what will happen when this 
>>> change goes live?
>>>
>>> Is it just the #block-insecure-private-network-requests 
>>> Do I need to 
>>> configure #private-network-access-send-preflights or 
>>> #private-network-access-respect-preflight-results
>>> Today all these settings are just "Default
>>>
>>> Thanks in advance, please let me know if there is a better forum for 
>>> this request.
>>> Martin
>>>
>>>
>>> On Wednesday, April 20, 2022 at 3:28:37 AM UTC+10 John Doe wrote:
>>>
>>>> Sorry seems I accidently switched the S sides in the first question, I 
>>>> meant from public HTTP to private HTTPS so it shouldn't be mixed content, 
>>>> and in such case there's no preflight request.
>>>> As I mentioned I installed chrome 98 to test it, when accessing a 
>>>> resource from public HTTPS to private HTTPS there's a preflight request 
>>>> but 
>>>> no such request on an access from public HTTP to private HTTPS.
>>>>
>>>> On Tuesday, April 19, 2022 at 7:27:42 PM UTC+3 Titouan Rigoudy wrote:
>>>>
>>>>> Hi there,
>>>>>
>>>>> 1. Such requests are blocked by mixed content. This launch does not 
>>>>> change that.
>>>>> 2. You will want to respond 200 OK to PNA preflight requests to your 
>>>>> private HTTPS server with the right headers. See the blog post [1] for 
>>>>> details.
>>>>>
>>>>> Cheers,
>>>>> Titouan
>>>>>
>>>>> [1] 
>>>>> https://developer.chrome.com/blog/private-network-access-preflight/#server-side-requests
>>>>>
>>>>> On Sun, Apr 17, 2022 at 4:56 PM John Doe <clas...@gmail.com> wrote:
>>>>>
>>>>>> 1. In Chrome 98, there were no preflight requests when accessing from 
>>>>>> public HTTPS to private HTTP, will the same be true in the final version?
>>>>>> 2. In the case when I have a private HTTPS server that I want 
>>>>>> everyone to have access to (also via public HTTP), what options do I 
>>>>>> have ?
>>>>>>
>>>>>> On Wednesday, April 6, 2022 at 8:23:58 PM UTC+3 Titouan Rigoudy wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> Thanks for the timely question, I was about to send an update here.
>>>>>>>
>>>>>>> We have fixed nearly all of the blockers identified in the above 
>>>>>>> doc. The only outstanding issue is the aforementioned crash, which 
>>>>>>> required 
>>>>>>> a bit more design work than the rest. That work has been completed and 
>>>>>>> CLs 
>>>>>>> to fix the problem are now in review; they should land shortly and make 
>>>>>>> it 
>>>>>>> in Chrome 102.
>>>>>>>
>>>>>>> We would like to ship again in Chrome 102 in warning-only mode, just 
>>>>>>> as we last tried in Chrome 98. Preflights will be sent but their 
>>>>>>> results 
>>>>>>> will not be enforced. Failed preflights will show warnings in DevTools, 
>>>>>>> but 
>>>>>>> requests will otherwise continue unimpeded.
>>>>>>>
>>>>>>> Things will stay that way for at least 3 milestones. We will gather 
>>>>>>> compatibility data by monitoring failed preflights, then circle back 
>>>>>>> here 
>>>>>>> to garner approvals to turn on enforcement. That launch will be 
>>>>>>> accompanied 
>>>>>>> by a deprecation trial for web developers to sign up for a time 
>>>>>>> extension 
>>>>>>> if they failed to notice the warnings in time.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Titouan
>>>>>>>
>>>>>>> On Wed, Apr 6, 2022 at 3:29 AM Logan Wei <shapi...@gmail.com> wrote:
>>>>>>>
>>>>>>>> Hello,  is there now an updated timeline to roll out this change?  
>>>>>>>> Will the trial restart in Chrome 102 or a later version?  
>>>>>>>>
>>>>>>>> On Wednesday, March 2, 2022 at 6:36:21 PM UTC+8 Titouan Rigoudy 
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> Here's the promised doc: 
>>>>>>>>> https://docs.google.com/document/d/1fdwetZXUz_Q03ZpGwXizq5AE1yn_lMhamUJMwvsHvTU/edit
>>>>>>>>>  
>>>>>>>>> (public, comment access for committers only)
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Titouan
>>>>>>>>>
>>>>>>>>> On Thu, Feb 17, 2022 at 3:29 PM Mike Taylor <mike...@chromium.org> 
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Thanks for the update Titouan. Looking forward to reading your 
>>>>>>>>>> doc.
>>>>>>>>>>
>>>>>>>>>> On 2/17/22 9:25 AM, Titouan Rigoudy wrote:
>>>>>>>>>>
>>>>>>>>>> Hi all, 
>>>>>>>>>>
>>>>>>>>>> Just to let you know that due to a couple issues, chief among 
>>>>>>>>>> which a renderer crash (crbug.com/1279376), we are rolling this 
>>>>>>>>>> feature back from Chrome 98.
>>>>>>>>>>
>>>>>>>>>> A few issues have been identified and will block our next attempt 
>>>>>>>>>> at shipping this. In the meantime, we gathered some useful 
>>>>>>>>>> information 
>>>>>>>>>> about impact and notified developers of the upcoming change. I'll 
>>>>>>>>>> write a 
>>>>>>>>>> doc summarizing the timeline and lessons learned, then share as 
>>>>>>>>>> appropriate 
>>>>>>>>>> here.
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Titouan
>>>>>>>>>>
>>>>>>>>>> On Mon, Dec 6, 2021 at 5:26 PM Chris Harrelson <
>>>>>>>>>> chri...@chromium.org> wrote:
>>>>>>>>>>
>>>>>>>>>>> LGTM3 for step 1.
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Dec 6, 2021 at 6:11 AM Mike Taylor <mike...@chromium.org> 
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> LGTM2 for step 1.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/6/21 5:31 AM, Titouan Rigoudy wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> *assuming I get 2 more LGTMs, that is.
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Dec 6, 2021 at 11:31 AM Titouan Rigoudy <
>>>>>>>>>>>> tit...@google.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks! I'll come back for further discussion with UKM data in 
>>>>>>>>>>>>> hand. 
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>> Titouan
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Dec 6, 2021 at 10:58 AM Yoav Weiss <
>>>>>>>>>>>>> yoav...@chromium.org> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> I agree UKM analysis should not block step 1, as it holds 
>>>>>>>>>>>>>> little risk. (There's still some risks that servers will choke 
>>>>>>>>>>>>>> in the face 
>>>>>>>>>>>>>> of preflights, but that seems minor compared to the enforcement 
>>>>>>>>>>>>>> risk) 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Therefore,* LGTM1 for step 1* (preflights with no 
>>>>>>>>>>>>>> enforcement), but not further (yet). Please come back to this 
>>>>>>>>>>>>>> thread with 
>>>>>>>>>>>>>> any data you may have as a result of adding UKMs.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Dec 3, 2021 at 6:44 PM 'Titouan Rigoudy' via 
>>>>>>>>>>>>>> blink-dev <blin...@chromium.org> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Yoav, do you think UKM analysis should block sending 
>>>>>>>>>>>>>>> preflights without enforcing their success? I believe sending 
>>>>>>>>>>>>>>> these will 
>>>>>>>>>>>>>>> allow us to get more precise information on the affected 
>>>>>>>>>>>>>>> websites through 
>>>>>>>>>>>>>>> the usecounter recorded in crrev.com/c/3310846. I can then 
>>>>>>>>>>>>>>> analyze UKM data and use the results to inform the decision 
>>>>>>>>>>>>>>> whether and 
>>>>>>>>>>>>>>> when to switch enforcement on? 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>> Titouan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Thu, Dec 2, 2021 at 5:19 PM Titouan Rigoudy <
>>>>>>>>>>>>>>> tit...@google.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I agree! 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>> Titouan
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Thu, Dec 2, 2021 at 5:17 PM Mike West <
>>>>>>>>>>>>>>>> mk...@chromium.org> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> _I_ don't think we should do that, but I'd defer to 
>>>>>>>>>>>>>>>>> Titouan's preference. :) 
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -mike
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Thu, Dec 2, 2021 at 5:14 PM Mike Taylor <
>>>>>>>>>>>>>>>>> mike...@chromium.org> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks - I also don't think there's a lot of value in 
>>>>>>>>>>>>>>>>>> this particular header being the odd-one-out, just wanted to 
>>>>>>>>>>>>>>>>>> confirm we're 
>>>>>>>>>>>>>>>>>> not going to ship "true" first and try to change that to ?1 
>>>>>>>>>>>>>>>>>> later (which is 
>>>>>>>>>>>>>>>>>> always challenging).
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 12/2/21 11:11 AM, Mike West wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I'm not sure it makes sense to introduce a structured 
>>>>>>>>>>>>>>>>>> header here, given that it's layering on top of CORS headers 
>>>>>>>>>>>>>>>>>> that I don't 
>>>>>>>>>>>>>>>>>> think there's substantial interest in changing. 
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -mike
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Thu, Dec 2, 2021 at 4:55 PM 'Titouan Rigoudy' via 
>>>>>>>>>>>>>>>>>> blink-dev <blin...@chromium.org> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi Mike, 
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> There is no support for structured headers so far, for 
>>>>>>>>>>>>>>>>>>> consistency reasons, and there has been no movement to 
>>>>>>>>>>>>>>>>>>> deprecate the "true" 
>>>>>>>>>>>>>>>>>>> value for Access-Control-Allow-Credentials. The value of 
>>>>>>>>>>>>>>>>>>> such a deprecation 
>>>>>>>>>>>>>>>>>>> seems minimal.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I could pretty easily add support for the structured 
>>>>>>>>>>>>>>>>>>> "?1" value on top of the "true" token for the new 
>>>>>>>>>>>>>>>>>>> Access-Control-Allow-Private-Network header, and specify 
>>>>>>>>>>>>>>>>>>> that, but I'm not 
>>>>>>>>>>>>>>>>>>> sure it would be terribly useful. Do you think otherwise?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>>>> Titouan
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Thu, Dec 2, 2021 at 4:45 PM Mike Taylor <
>>>>>>>>>>>>>>>>>>> mike...@chromium.org> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi Titouan,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I'm curious what the plan is for structured headers. 
>>>>>>>>>>>>>>>>>>>> https://github.com/WICG/private-network-access/issues/45 
>>>>>>>>>>>>>>>>>>>> is marked as blocked - has there been other progress or 
>>>>>>>>>>>>>>>>>>>> thinking behind the 
>>>>>>>>>>>>>>>>>>>> scenes?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> thanks,
>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 11/29/21 10:36 AM, 'Titouan Rigoudy' via blink-dev 
>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Contact emails tit...@chromium.org, va...@chromium.org
>>>>>>>>>>>>>>>>>>>> , cl...@chromium.org
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Explainer 
>>>>>>>>>>>>>>>>>>>> https://github.com/WICG/private-network-access/blob/main/explainer.md
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Specification 
>>>>>>>>>>>>>>>>>>>> https://wicg.github.io/private-network-access/
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Design docs 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Summary 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Sends a CORS preflight request ahead of any private 
>>>>>>>>>>>>>>>>>>>> network requests for subresources, asking for explicit 
>>>>>>>>>>>>>>>>>>>> permission from the 
>>>>>>>>>>>>>>>>>>>> target server. A private network request is any request 
>>>>>>>>>>>>>>>>>>>> from a public 
>>>>>>>>>>>>>>>>>>>> website to a private IP address or localhost, or from a 
>>>>>>>>>>>>>>>>>>>> private website 
>>>>>>>>>>>>>>>>>>>> (e.g. intranet) to localhost. Sending a preflight request 
>>>>>>>>>>>>>>>>>>>> mitigates the 
>>>>>>>>>>>>>>>>>>>> risk of cross-site request forgery attacks against private 
>>>>>>>>>>>>>>>>>>>> network devices 
>>>>>>>>>>>>>>>>>>>> such as routers, which are often not prepared to defend 
>>>>>>>>>>>>>>>>>>>> against this threat.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Blink component 
>>>>>>>>>>>>>>>>>>>> Blink>SecurityFeature>CORS>PrivateNetworkAccess 
>>>>>>>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> TAG review 
>>>>>>>>>>>>>>>>>>>> https://github.com/w3ctag/design-reviews/issues/572
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> TAG review status Pending
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Risks 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Interoperability and Compatibility 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> The main interoperability risk, as always, is if other 
>>>>>>>>>>>>>>>>>>>> browser engines do not implement this. Compat risk is 
>>>>>>>>>>>>>>>>>>>> straightforward: web 
>>>>>>>>>>>>>>>>>>>> servers that do not handle the new preflight requests will 
>>>>>>>>>>>>>>>>>>>> eventually 
>>>>>>>>>>>>>>>>>>>> break, once the feature ships. The plan to address this is 
>>>>>>>>>>>>>>>>>>>> as follows: 1. 
>>>>>>>>>>>>>>>>>>>> Send preflight request, ignore result, always send actual 
>>>>>>>>>>>>>>>>>>>> request. Failed 
>>>>>>>>>>>>>>>>>>>> preflight requests will result in a warning being shown in 
>>>>>>>>>>>>>>>>>>>> devtools. 2. 
>>>>>>>>>>>>>>>>>>>> Wait for 3 milestones. 3. Gate actual request on preflight 
>>>>>>>>>>>>>>>>>>>> request success, 
>>>>>>>>>>>>>>>>>>>> with deprecation trial for developers to buy some more 
>>>>>>>>>>>>>>>>>>>> time. 4. End 
>>>>>>>>>>>>>>>>>>>> deprecation trial 4 milestones later. UseCounters: 
>>>>>>>>>>>>>>>>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/3753
>>>>>>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>>>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/3755
>>>>>>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>>>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/3757
>>>>>>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>>>>>>> The above measure pages that make at least one private 
>>>>>>>>>>>>>>>>>>>> network request for 
>>>>>>>>>>>>>>>>>>>> which we would now send a preflight request.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Gecko: Worth prototyping (
>>>>>>>>>>>>>>>>>>>> https://github.com/mozilla/standards-positions/issues/143
>>>>>>>>>>>>>>>>>>>> )
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> WebKit: No signal (
>>>>>>>>>>>>>>>>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-November/032040.html)
>>>>>>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>>>>>>> Pending response.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Web developers: No signals Anecdotal evidence so far 
>>>>>>>>>>>>>>>>>>>> suggests that most web developers are OK with this new 
>>>>>>>>>>>>>>>>>>>> requirement, though 
>>>>>>>>>>>>>>>>>>>> some do not control the target endpoints and would be 
>>>>>>>>>>>>>>>>>>>> negatively impacted.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Other signals:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Ergonomics 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> None.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Activation 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Gating access to the private network overnight on 
>>>>>>>>>>>>>>>>>>>> preflight requests would likely result in widespread 
>>>>>>>>>>>>>>>>>>>> breakage. This is why 
>>>>>>>>>>>>>>>>>>>> the plan is to first send requests but not act on their 
>>>>>>>>>>>>>>>>>>>> result, giving 
>>>>>>>>>>>>>>>>>>>> server developers time to implement code handling these 
>>>>>>>>>>>>>>>>>>>> requests. 
>>>>>>>>>>>>>>>>>>>> Deprecation warnings will be surfaced in DevTools to alert 
>>>>>>>>>>>>>>>>>>>> web/client 
>>>>>>>>>>>>>>>>>>>> developers when the potential for breakage later on is 
>>>>>>>>>>>>>>>>>>>> detected. 
>>>>>>>>>>>>>>>>>>>> Enforcement will be turned on later (aiming for 3 
>>>>>>>>>>>>>>>>>>>> milestones), along with a 
>>>>>>>>>>>>>>>>>>>> deprecation trial for impacted web developers to buy 
>>>>>>>>>>>>>>>>>>>> themselves some more 
>>>>>>>>>>>>>>>>>>>> time. Experience suggests a large fraction of developers 
>>>>>>>>>>>>>>>>>>>> will not notice 
>>>>>>>>>>>>>>>>>>>> the advance deprecation warnings until things break.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Security 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> This change aims to be security-positive, preventing 
>>>>>>>>>>>>>>>>>>>> CSRF attacks against soft and juicy targets such as router 
>>>>>>>>>>>>>>>>>>>> admin 
>>>>>>>>>>>>>>>>>>>> interfaces. DNS rebinding threats were of particular 
>>>>>>>>>>>>>>>>>>>> concern during the 
>>>>>>>>>>>>>>>>>>>> design of this feature: 
>>>>>>>>>>>>>>>>>>>> https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Debuggability 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Relevant information (client and resource IP address 
>>>>>>>>>>>>>>>>>>>> space) is already piped into the DevTools network panel. 
>>>>>>>>>>>>>>>>>>>> Deprecation 
>>>>>>>>>>>>>>>>>>>> warnings and errors will be surfaced in the DevTools 
>>>>>>>>>>>>>>>>>>>> issues panel 
>>>>>>>>>>>>>>>>>>>> explaining the problem when it arises.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests 
>>>>>>>>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>
>>>>>>>>>>>>>>>>>>>> ? Yes
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> DevTrial instructions 
>>>>>>>>>>>>>>>>>>>> https://github.com/WICG/private-network-access/blob/main/HOWTO.md
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Flag name PrivateNetworkAccessRespectPreflightResults
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Requires code in //chrome? False
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Tracking bug https://crbug.com/591068
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Launch bug https://crbug.com/1274149
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Estimated milestones 
>>>>>>>>>>>>>>>>>>>> DevTrial on desktop 98 
>>>>>>>>>>>>>>>>>>>> DevTrial on android 98 
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status 
>>>>>>>>>>>>>>>>>>>> https://chromestatus.com/feature/5737414355058688
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Links to previous Intent discussions Intent to 
>>>>>>>>>>>>>>>>>>>> prototype: 
>>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> This intent message was generated by Chrome Platform 
>>>>>>>>>>>>>>>>>>>> Status <https://www.chromestatus.com/>.
>>>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>>> You received this message because you are subscribed to 
>>>>>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group.
>>>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving 
>>>>>>>>>>>>>>>>>>>> emails from it, send an email to 
>>>>>>>>>>>>>>>>>>>> blink-dev+...@chromium.org.
>>>>>>>>>>>>>>>>>>>> To view this discussion on the web visit 
>>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9fdAK%2BnrTfUzug8ub_DhV_LE0b7XrgZ7j5%2Bj_BHtW-FXg%40mail.gmail.com
>>>>>>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9fdAK%2BnrTfUzug8ub_DhV_LE0b7XrgZ7j5%2Bj_BHtW-FXg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>> You received this message because you are subscribed to 
>>>>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group.
>>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails 
>>>>>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org.
>>>>>>>>>>>>>>>>>>> To view this discussion on the web visit 
>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9f3dAnHromxwvp8jWRxVLYVKZ0PAG5snX2KDFAYz4kc7Q%40mail.gmail.com
>>>>>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9f3dAnHromxwvp8jWRxVLYVKZ0PAG5snX2KDFAYz4kc7Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>> You received this message because you are subscribed to the 
>>>>>>>>>>>>>>> Google Groups "blink-dev" group.
>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails 
>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org.
>>>>>>>>>>>>>>> To view this discussion on the web visit 
>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9ePgpof%2BBDWS9X7sfHHAqgc6Arem3b78ZGC%3D%2Bp4jB6_AQ%40mail.gmail.com
>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9ePgpof%2BBDWS9X7sfHHAqgc6Arem3b78ZGC%3D%2Bp4jB6_AQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> You received this message because you are subscribed to the 
>>>>>>>>>>>> Google Groups "blink-dev" group.
>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from 
>>>>>>>>>>>> it, send an email to blink-dev+...@chromium.org.
>>>>>>>>>>>> To view this discussion on the web visit 
>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6e557fb7-5b1d-20bc-aae5-65526ca8efb7%40chromium.org
>>>>>>>>>>>>  
>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6e557fb7-5b1d-20bc-aae5-65526ca8efb7%40chromium.org?utm_medium=email&utm_source=footer>
>>>>>>>>>>>> .
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b1999eef-ae5c-4d90-85c0-bbcc8ddc8334n%40chromium.org.

Reply via email to