On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev < [email protected]> wrote:
> Chrome Status doesn't generate emails for the deprecation trails, only > developer trials, so I've repurposed that here. This is a Finch managed > rollout, not a developer opt-in, due to the extremely low usage that seems > to be almost entirely malware. > Can you please elaborate on the analysis: how low is the usage and how did you check that the use is malware? Also, just to confirm, this is an intent to deprecate and remove but you're planning on rolling out the removal gradually via finch, right? Thanks! Vlad > > On Mon, Jun 3, 2024 at 12:03 PM David Adrian <[email protected]> wrote: > >> Contact [email protected] >> >> ExplainerNone >> >> Specificationhttps://wicg.github.io/private-network-access >> >> Summary >> >> We propose to block access to IP address 0.0.0.0 in advance of PNA >> completely rolling out. Chrome is deprecating direct access to private >> network endpoints from public websites as part of the Private Network >> Access (PNA) specification ( >> https://developer.chrome.com/blog/private-network-access-preflight/). >> Services listening on the localhost (127.0.0.0/8) are considered private >> according to the specification ( >> https://wicg.github.io/private-network-access/#ip-address-space-heading). >> Chrome's PNA protection (rolled out as part of >> https://chromestatus.com/feature/5436853517811712) can be bypassed using >> the IP address 0.0.0.0 to access services listening on the localhost on >> macOS and Linux. This can also be abused in DNS rebinding attacks targeting >> a web application listening on the localhost. Since 0.0.0.0 is not used in >> practice (and should not be used), but was overlooked during >> https://chromestatus.com/feature/5436853517811712, we're deprecating it >> separately from the rest of the private network requests deprecation. This >> will be a Finch (experimental) rollout, rather than a Developer Trial. >> >> >> Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >> >> Search tagssecurity <https://chromestatus.com/features#tags:security>, >> Private >> Network Access >> <https://chromestatus.com/features#tags:Private%20Network%20Access> >> >> TAG reviewNone >> >> TAG review statusNot applicable >> >> Chromium Trial NamePrivateNetworkAccessNullIpAddressAllowed >> >> Origin Trial documentation linkhttps://crbug.com/1300021 >> >> WebFeature UseCounter namekPrivateNetworkAccessNullIpAddress >> >> Risks >> >> >> Interoperability and Compatibility >> >> None >> >> >> *Gecko*: Closed Without a Position ( >> https://github.com/mozilla/standards-positions/issues/143) >> >> *WebKit*: Support ( >> https://github.com/WebKit/standards-positions/issues/163) >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Goals for experimentation >> >> >> >> Ongoing technical constraints >> >> Eventually, all private network access will be limited according to the >> developing Private Network Access spec. >> >> >> Debuggability >> >> None >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)?Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?No >> >> Flag name on chrome://flagsblock-null-ip-address >> >> Finch feature namePrivateNetworkAccessNullIpAddress >> >> Requires code in //chrome?False >> >> Tracking bughttps://crbug.com/1300021 >> >> Estimated milestones >> Shipping on desktop 133 >> Origin trial desktop first 127 >> Origin trial desktop last 133 >> DevTrial on desktop 127 >> Shipping on Android 133 >> OriginTrial Android last 133 >> OriginTrial Android first 127 >> DevTrial on Android 127 >> Shipping on WebView 133 >> OriginTrial webView last 133 >> OriginTrial webView first 127 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5106143060033536 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2OohWkdMfi_QvyeOGUnYRFKwzcSyUZCQP6tEDOxWvJeTQ%40mail.gmail.com.
