> Can you please elaborate on the analysis: how low is the usage
and how did you check that the use is malware?
The Blink.UseCounter.Feature
for PrivateNetworkAccessNullIpAddress shows
<https://uma.googleplex.com/p/chrome/timeline_v2?sid=a4f412aa940bd3dd7b2bc6c960c2d91d>
below 0.001% on all platforms.
We've had multiple reports of malware leveraging this to attack
specific developer tooling frameworks, e.g.
https://crbug.com/40058874.
> Also, just to confirm, this is an intent to deprecate and
remove but you're planning on rolling out the removal gradually
via finch, right?
Correct.
On Mon, Jun 3, 2024 at 1:25 PM Vladimir Levin
<[email protected]> wrote:
On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev
<[email protected]> wrote:
Chrome Status doesn't generate emails for the deprecation
trails, only developer trials, so I've repurposed that
here. This is a Finch managed rollout, not a developer
opt-in, due to the extremely low usage that seems to be
almost entirely malware.
Can you please elaborate on the analysis: how low is the
usage and how did you check that the use is malware?
Also, just to confirm, this is an intent to deprecate and
remove but you're planning on rolling out the removal
gradually via finch, right?
Thanks!
Vlad
On Mon, Jun 3, 2024 at 12:03 PM David Adrian
<[email protected]> wrote:
Contact emails
[email protected]
Explainer
None
Specification
https://wicg.github.io/private-network-access
Summary
We propose to block access to IP address 0.0.0.0 in
advance of PNA completely rolling out. Chrome is
deprecating direct access to private network
endpoints from public websites as part of the Private
Network Access (PNA) specification
(https://developer.chrome.com/blog/private-network-access-preflight/).
Services listening on the localhost (127.0.0.0/8
<http://127.0.0.0/8>) are considered private
according to the specification
(https://wicg.github.io/private-network-access/#ip-address-space-heading).
Chrome's PNA protection (rolled out as part of
https://chromestatus.com/feature/5436853517811712)
can be bypassed using the IP address 0.0.0.0 to
access services listening on the localhost on macOS
and Linux. This can also be abused in DNS rebinding
attacks targeting a web application listening on the
localhost. Since 0.0.0.0 is not used in practice (and
should not be used), but was overlooked during
https://chromestatus.com/feature/5436853517811712,
we're deprecating it separately from the rest of the
private network requests deprecation. This will be a
Finch (experimental) rollout, rather than a Developer
Trial.
Blink component
Blink>SecurityFeature>CORS>PrivateNetworkAccess
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
Search tags
security
<https://chromestatus.com/features#tags:security>,
Private Network Access
<https://chromestatus.com/features#tags:Private%20Network%20Access>
TAG review
None
TAG review status
Not applicable
Chromium Trial Name
PrivateNetworkAccessNullIpAddressAllowed
Origin Trial documentation link
https://crbug.com/1300021
WebFeature UseCounter name
kPrivateNetworkAccessNullIpAddress
Risks
Interoperability and Compatibility
None
/Gecko/: Closed Without a Position
(https://github.com/mozilla/standards-positions/issues/143)
/WebKit/: Support
(https://github.com/WebKit/standards-positions/issues/163)
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?
None
Goals for experimentation
Ongoing technical constraints
Eventually, all private network access will be
limited according to the developing Private Network
Access spec.
Debuggability
None
Will this feature be supported on all six
Blink platforms (Windows, Mac, Linux,
ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name on chrome://flags
block-null-ip-address
Finch feature name
PrivateNetworkAccessNullIpAddress
Requires code in //chrome?
False
Tracking bug
https://crbug.com/1300021
Estimated milestones
Shipping on desktop 133
Origin trial desktop first 127
Origin trial desktop last 133
DevTrial on desktop 127
Shipping on Android 133
OriginTrial Android last 133
OriginTrial Android first 127
DevTrial on Android 127
Shipping on WebView 133
OriginTrial webView last 133
OriginTrial webView first 127
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5106143060033536
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
