LGTM3 On Mon, Sep 18, 2023 at 6:21 AM Yoav Weiss <[email protected]> wrote:
> LGTM2 > > On Mon, Sep 18, 2023 at 3:16 PM Mike Taylor <[email protected]> > wrote: > >> LGTM1. Curious to know (but happy to not know) how many local servers are >> running in my car... >> On 9/18/23 5:30 AM, Jonathan Hao wrote: >> >> Contact emails [email protected] >> >> Explainer >> https://github.com/WICG/private-network-access/blob/main/explainer.md >> >> Specification https://github.com/WICG/private-network-access >> >> Design docs >> >> https://docs.google.com/document/d/1ozjh-G6faEEkgVp__mjq6c_4U93sS4kK4zoelTE7Awg/edit?usp=sharing >> >> Summary >> >> Enforce (instead of just warn) Private Network Access restrictions on >> Chrome for Android Automotive (if BuildInfo::is_automotive), including: - >> Private Network Access preflight requests for subresources. See >> https://chromestatus.com/feature/5737414355058688, and - Private Network >> Access for Workers. See https://chromestatus.com/feature/5742979561029632 >> >> >> Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >> >> TAG review https://github.com/w3ctag/design-reviews/issues/572 >> >> TAG review status Issues addressed >> >> Origin Trial documentation link >> https://github.com/WICG/private-network-access/blob/main/explainer.md >> >> Risks >> >> >> Interoperability and Compatibility >> >> Android Automotive is going to be a new platform, so no websites should >> rely on making private network requests yet. And our purpose is to ship >> this from the beginning to avoid future compatibility risks. >> >> >> *Gecko*: Positive ( >> https://github.com/mozilla/standards-positions/issues/143) >> >> *WebKit*: Positive ( >> https://github.com/WebKit/standards-positions/issues/163) >> >> *Web developers*: Mixed signals Anecdotal evidence so far suggests that >> most web developers are OK with this new requirement, though some do not >> control the target endpoints and would be negatively impacted. >> >> *Other signals*: >> >> Security >> >> This change aims to be security-positive, preventing CSRF attacks against >> soft and juicy targets such as router admin interfaces. It does not cover >> navigation requests, which are to be addressed in followup launches. DNS >> rebinding threats were of particular concern during the design of this >> feature: >> https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9 >> >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> Relevant information (client and resource IP address space) is already >> piped into the DevTools network panel. Deprecation warnings and errors will >> be surfaced in the DevTools issues panel explaining the problem when it >> arises. >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)? No >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? Yes >> >> Flag name on chrome://flags None >> >> Finch feature name PrivateNetworkAccessRestrictionsForAutomotive >> >> Requires code in //chrome? False >> >> Estimated milestones >> Shipping on Android (only when is_automotive=true) 119 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> None >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5082807021338624 >> >> Links to previous Intent discussions Intent to prototype: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/MO2HmKaFe8c/m/vljPBcxdAQAJ >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2BAu2epCdGTM-VgyBXj61C%2BJ4WUv3WTO9SZ_OAeaf2JmQ%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2BAu2epCdGTM-VgyBXj61C%2BJ4WUv3WTO9SZ_OAeaf2JmQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bfda4093-340b-4dfe-b98c-95564743309e%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bfda4093-340b-4dfe-b98c-95564743309e%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXGiaEPvgV1hddsL%3D7unBKpnYVwkwfk%3DYFpCrR4DZA8XQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXGiaEPvgV1hddsL%3D7unBKpnYVwkwfk%3DYFpCrR4DZA8XQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8%2BKoxAj7KQWufrtj_evR-74EgO39kJTDSrSbWVnDULHA%40mail.gmail.com.
