LGTM to extend the deprecation trial from M107 to *M109* (inclusive). If further extension is needed, I'd love to hear back from y'all on progress you're making in outreach to affected sites, and in them adopting the user permission model.
On Sat, Jul 30, 2022 at 2:20 AM Jonathan Hao <[email protected]> wrote: > Contact emails > > > *[email protected] <[email protected]> (on leave), > [email protected] <[email protected]>, [email protected] > <[email protected]>, [email protected] <[email protected]>, [email protected] > <[email protected]> *Explainer > > > *https://github.com/WICG/private-network-access/blob/master/explainer.md > <https://github.com/WICG/private-network-access/blob/master/explainer.md>* > Specification > > > *https://wicg.github.io/private-network-access/ > <https://wicg.github.io/private-network-access/>*Design docs > > > *https://docs.google.com/document/d/1x1a1fQLOrcWogK3tpFBgQZQ5ZjcONTvD0IqqXkgrg5I/edit#heading=h.7nki9mck5t64 > <https://docs.google.com/document/d/1x1a1fQLOrcWogK3tpFBgQZQ5ZjcONTvD0IqqXkgrg5I/edit#heading=h.7nki9mck5t64>* > Summary > > > > *Requires that private network requests for subresources from public > websites may only be initiated from a secure context. Examples include > internet to intranet requests and internet to loopback requests. This is a > first step towards fully implementing Private Network Access: > https://wicg.github.io/private-network-access/ > <https://wicg.github.io/private-network-access/>*Reason this trial is > being extended > > > > *The first phase of the PNA project was to prohibit public HTTP pages from > making requests on the private network. Because some pages require this, we > implemented a deprecation trial that sites can use to maintain > functionality. As described in this doc > <https://docs.google.com/document/d/1i72m-jAdr4BZtJ1eakEmMPuVZEA9av9m38oxdtE5AHY/edit?resourcekey=0-sR08ze1IiKkjxgek07XL-w>, > we have now realized that there are legitimate use cases for this > functionality, and no good workaround for websites. So we decided to allow > Mixed contents restrictions to be relaxed to allow an HTTPS page to request > HTTP resources on the private network. We are currently implementing a > permission prompt > <https://github.com/iVanlIsh/private-network-access/blob/main/explainer.md> > for users to give the aforementioned permission and aim to ship it in > M107. An extension is necessary to give web developers time to upgrade > their pages to HTTPS.Previous experiment timeline: M94 to M106Requested > extension timeline: M107 to M113*Blink component > > > *Blink>SecurityFeature>CORS>PrivateNetworkAccess > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>*TAG > review > > > *https://github.com/w3ctag/design-reviews/issues/572 > <https://github.com/w3ctag/design-reviews/issues/572>*TAG review status > > > *Completed*Risks > > Interoperability and CompatibilityNo interoperability risks. > Compatibility risk is small but non-negligible. UseCounters show ~0.1% of > page visit making use of this feature. Direct outreach to the largest users > per UKM data revealed no objections to this launch. > > > > > > > > *Rolling this deprecation out to beta per the previous I2S resulted in > more feedback about the compatibility risk and the need for a time > extension. See the following doc for an extensive discussion: > https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit > <https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit>Gecko: > Worth prototyping > (https://github.com/mozilla/standards-positions/issues/143 > <https://github.com/mozilla/standards-positions/issues/143>) Tentatively > positive, but no formal position yet.WebKit: Positive > (https://lists.webkit.org/pipermail/webkit-dev/2021-May/031837.html > <https://lists.webkit.org/pipermail/webkit-dev/2021-May/031837.html>)Web > developers: Negative > (https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit > <https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit>) > Some websites, broadly falling in the category of controller webapps for > IoT devices, find this change incompatible with their use cases. While many > use cases can be solved with specific workarounds, some still require > further engagement.Other signals:*Activation > > > > > *Developers of non-secure sites that rely upon local servers will need to > upgrade to HTTPS. This might cause some complications, as mixed-content > checks will begin to apply unless users give explicit permission. Chrome > carves out HTTP access to loopback (as per > https://w3c.github.io/webappsec-secure-contexts/#localhost > <https://w3c.github.io/webappsec-secure-contexts/#localhost>), which is a > release valve for folks who don't want to go through the effort of > securely-distributing certs for local servers.The initial launch in M92 was > delayed due to compatibility risks surfaced during the rollout to beta. See > this doc for a lot more details: > https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit > <https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit>* > Security > > > > *This change should be security-positive.*WebView application risks > > > > *Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications?* > Debuggability > > > > > > > *When a request is made that violates this restriction and the feature is > not enabled, three things happen:1. A warning message is logged to the > DevTools console.2. A deprecation report is filed against the initiator > website's Reporting API, if so configured.3. An issue is surfaced in the > DevTools Issues panel.Likewise, when the feature is enabled and a request > is blocked, the same happens except that the message logged to the DevTools > console is an error and its text is slightly different.The devtools network > panel shows information about the source and remote address spaces at play.*Is > this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > > *Yes*Flag name > > > *BlockInsecurePrivateNetworkRequests*Requires code in //chrome? > > > *False*Tracking bug > > > *https://crbug.com/986744 <https://crbug.com/986744>*Launch bug > > > *https://crbug.com/1129801 <https://crbug.com/1129801>*Estimated > milestones > > > > > > > *OriginTrial desktop last113OriginTrial desktop first94DevTrial on > desktop86OriginTrial Android last113OriginTrial Android first94DevTrial on > Android86*Link to entry on the Chrome Platform Status > > > *https://chromestatus.com/feature/5436853517811712 > <https://chromestatus.com/feature/5436853517811712>*Links to previous > Intent discussions > > Intent to prototype: > https://groups.google.com/a/chromium.org/g/blink-dev/c/EeGg7TxW6U4/m/7ZvqAqHLAwAJ > > Ready for Trial: > https://groups.google.com/a/chromium.org/g/blink-dev/c/EeGg7TxW6U4/m/7ZvqAqHLAwAJ > > Intent to Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/vlDZXlPb00k/m/1421ACiuAAAJ > > Intent to Extend Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/JPD001kqeck > > Intent to Ship: > https://groups.google.com/a/chromium.org/g/blink-dev/c/cPiRNjFoCag/m/DxEEN9-6BQAJ > > Intent to Extend Deprecation Trial (1st time): > https://groups.google.com/a/chromium.org/g/blink-dev/c/JPD001kqeck > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jFnp8r6ReURjuP%3DOULNhnYZrLwASjmoasXEEgRWiivZwg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jFnp8r6ReURjuP%3DOULNhnYZrLwASjmoasXEEgRWiivZwg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUMr_CV%3DbzCUPB%3Dj4uFRM_AZ%2B%3DDetq8s7eb9FaSxkVaWQ%40mail.gmail.com.
