Contact [email protected] ExplainerNone
Specificationhttps://wicg.github.io/private-network-access Summary We propose to block access to IP address 0.0.0.0 in advance of PNA completely rolling out. Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification ( https://developer.chrome.com/blog/private-network-access-preflight/). Services listening on the localhost (127.0.0.0/8) are considered private according to the specification ( https://wicg.github.io/private-network-access/#ip-address-space-heading). Chrome's PNA protection (rolled out as part of https://chromestatus.com/feature/5436853517811712) can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux. This can also be abused in DNS rebinding attacks targeting a web application listening on the localhost. Since 0.0.0.0 is not used in practice (and should not be used), but was overlooked during https://chromestatus.com/feature/5436853517811712, we're deprecating it separately from the rest of the private network requests deprecation. This will be a Finch (experimental) rollout, rather than a Developer Trial. Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> Search tagssecurity <https://chromestatus.com/features#tags:security>, Private Network Access <https://chromestatus.com/features#tags:Private%20Network%20Access> TAG reviewNone TAG review statusNot applicable Chromium Trial NamePrivateNetworkAccessNullIpAddressAllowed Origin Trial documentation linkhttps://crbug.com/1300021 WebFeature UseCounter namekPrivateNetworkAccessNullIpAddress Risks Interoperability and Compatibility None *Gecko*: Closed Without a Position ( https://github.com/mozilla/standards-positions/issues/143) *WebKit*: Support (https://github.com/WebKit/standards-positions/issues/163) *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Goals for experimentation Ongoing technical constraints Eventually, all private network access will be limited according to the developing Private Network Access spec. Debuggability None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?Yes Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Flag name on chrome://flagsblock-null-ip-address Finch feature namePrivateNetworkAccessNullIpAddress Requires code in //chrome?False Tracking bughttps://crbug.com/1300021 Estimated milestones Shipping on desktop 133 Origin trial desktop first 127 Origin trial desktop last 133 DevTrial on desktop 127 Shipping on Android 133 OriginTrial Android last 133 OriginTrial Android first 127 DevTrial on Android 127 Shipping on WebView 133 OriginTrial webView last 133 OriginTrial webView first 127 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5106143060033536 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42L-7xt9YY-jmq-G4-nuitqELpgqgnvECkbCoPpAWWMMjw%40mail.gmail.com.
