> Can you please start (or possibly N/A) the Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus?
I believe it already has all the pils approved. On Tue, Jun 4, 2024 at 3:18 AM Daniel Bratell <[email protected]> wrote: > Can you please start (or possibly N/A) the > Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus? > > /Daniel > On 2024-06-03 21:56, 'David Adrian' via blink-dev wrote: > > > Can you please elaborate on the analysis: how low is the usage and how > did you check that the use is malware? > > The Blink.UseCounter.Feature for PrivateNetworkAccessNullIpAddress shows > <https://uma.googleplex.com/p/chrome/timeline_v2?sid=a4f412aa940bd3dd7b2bc6c960c2d91d> > below 0.001% on all platforms. > > We've had multiple reports of malware leveraging this to attack specific > developer tooling frameworks, e.g. https://crbug.com/40058874. > > > Also, just to confirm, this is an intent to deprecate and remove but > you're planning on rolling out the removal gradually via finch, right? > > Correct. > > On Mon, Jun 3, 2024 at 1:25 PM Vladimir Levin <[email protected]> wrote: > >> >> >> On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev < >> [email protected]> wrote: >> >>> Chrome Status doesn't generate emails for the deprecation trails, only >>> developer trials, so I've repurposed that here. This is a Finch managed >>> rollout, not a developer opt-in, due to the extremely low usage that seems >>> to be almost entirely malware. >>> >> >> Can you please elaborate on the analysis: how low is the usage and how >> did you check that the use is malware? >> >> Also, just to confirm, this is an intent to deprecate and remove but >> you're planning on rolling out the removal gradually via finch, right? >> >> Thanks! >> Vlad >> >> >>> >>> On Mon, Jun 3, 2024 at 12:03 PM David Adrian <[email protected]> wrote: >>> >>>> Contact emails [email protected] >>>> >>>> Explainer None >>>> >>>> Specification https://wicg.github.io/private-network-access >>>> >>>> Summary >>>> >>>> We propose to block access to IP address 0.0.0.0 in advance of PNA >>>> completely rolling out. Chrome is deprecating direct access to private >>>> network endpoints from public websites as part of the Private Network >>>> Access (PNA) specification ( >>>> https://developer.chrome.com/blog/private-network-access-preflight/). >>>> Services listening on the localhost (127.0.0.0/8) are considered >>>> private according to the specification ( >>>> https://wicg.github.io/private-network-access/#ip-address-space-heading). >>>> Chrome's PNA protection (rolled out as part of >>>> https://chromestatus.com/feature/5436853517811712) can be bypassed >>>> using the IP address 0.0.0.0 to access services listening on the localhost >>>> on macOS and Linux. This can also be abused in DNS rebinding attacks >>>> targeting a web application listening on the localhost. Since 0.0.0.0 is >>>> not used in practice (and should not be used), but was overlooked during >>>> https://chromestatus.com/feature/5436853517811712, we're deprecating >>>> it separately from the rest of the private network requests deprecation. >>>> This will be a Finch (experimental) rollout, rather than a Developer Trial. >>>> >>>> >>>> Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>>> >>>> Search tags security <https://chromestatus.com/features#tags:security> >>>> , Private Network Access >>>> <https://chromestatus.com/features#tags:Private%20Network%20Access> >>>> >>>> TAG review None >>>> >>>> TAG review status Not applicable >>>> >>>> Chromium Trial Name PrivateNetworkAccessNullIpAddressAllowed >>>> >>>> Origin Trial documentation link https://crbug.com/1300021 >>>> >>>> WebFeature UseCounter name kPrivateNetworkAccessNullIpAddress >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> None >>>> >>>> >>>> *Gecko*: Closed Without a Position ( >>>> https://github.com/mozilla/standards-positions/issues/143) >>>> >>>> *WebKit*: Support ( >>>> https://github.com/WebKit/standards-positions/issues/163) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> None >>>> >>>> >>>> Goals for experimentation >>>> >>>> Ongoing technical constraints >>>> >>>> Eventually, all private network access will be limited according to the >>>> developing Private Network Access spec. >>>> >>>> >>>> Debuggability >>>> >>>> None >>>> >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)? Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? No >>>> >>>> Flag name on chrome://flags block-null-ip-address >>>> >>>> Finch feature name PrivateNetworkAccessNullIpAddress >>>> >>>> Requires code in //chrome? False >>>> >>>> Tracking bug https://crbug.com/1300021 >>>> >>>> Estimated milestones >>>> Shipping on desktop 133 >>>> Origin trial desktop first 127 >>>> Origin trial desktop last 133 >>>> DevTrial on desktop 127 >>>> Shipping on Android 133 >>>> OriginTrial Android last 133 >>>> OriginTrial Android first 127 >>>> DevTrial on Android 127 >>>> Shipping on WebView 133 >>>> OriginTrial webView last 133 >>>> OriginTrial webView first 127 >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5106143060033536 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KGMLc5x1cyzG42o%2B7RY9ZEJbAMrXeaui-xX%2BW_CM1hfQ%40mail.gmail.com.
