I think this hit a chromestatus bug. A deprecation should start with approvals of the plan stage, including 3 votes from API Owners. This was incorrectly detected by chromestatus as a thread about the ship stage, which comes later.
I have voted "review started" to get the "plan" stage API review gate to appear on the reviewers' dashboard. That stage already has 2 of the need cross-functional reviews approved and one pending. I'll reset the "Ship" gate so that it can be used later. I'll fix the underlying parsing bug today. Thanks, jason! On Tuesday, June 4, 2024 at 10:15:10 AM UTC-7 Daniel Bratell wrote: > If so, it's not visible to me. They are all shown as grey, i.e. not > started. Is there maybe more than one chromestatus entry and the review was > done somewhere else? > > /Daniel > On 2024-06-04 16:20, David Adrian wrote: > > > Can you please start (or possibly N/A) the > Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus? > > I believe it already has all the pils approved. > > On Tue, Jun 4, 2024 at 3:18 AM Daniel Bratell <[email protected]> wrote: > >> Can you please start (or possibly N/A) the >> Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus? >> >> /Daniel >> On 2024-06-03 21:56, 'David Adrian' via blink-dev wrote: >> >> > Can you please elaborate on the analysis: how low is the usage and how >> did you check that the use is malware? >> >> The Blink.UseCounter.Feature for PrivateNetworkAccessNullIpAddress shows >> <https://uma.googleplex.com/p/chrome/timeline_v2?sid=a4f412aa940bd3dd7b2bc6c960c2d91d> >> >> below 0.001% on all platforms. >> >> We've had multiple reports of malware leveraging this to attack specific >> developer tooling frameworks, e.g. https://crbug.com/40058874. >> >> > Also, just to confirm, this is an intent to deprecate and remove but >> you're planning on rolling out the removal gradually via finch, right? >> >> Correct. >> >> On Mon, Jun 3, 2024 at 1:25 PM Vladimir Levin <[email protected]> >> wrote: >> >>> >>> >>> On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev < >>> [email protected]> wrote: >>> >>>> Chrome Status doesn't generate emails for the deprecation trails, only >>>> developer trials, so I've repurposed that here. This is a Finch managed >>>> rollout, not a developer opt-in, due to the extremely low usage that seems >>>> to be almost entirely malware. >>>> >>> >>> Can you please elaborate on the analysis: how low is the usage and how >>> did you check that the use is malware? >>> >>> Also, just to confirm, this is an intent to deprecate and remove but >>> you're planning on rolling out the removal gradually via finch, right? >>> >>> Thanks! >>> Vlad >>> >>> >>>> >>>> On Mon, Jun 3, 2024 at 12:03 PM David Adrian <[email protected]> wrote: >>>> >>>>> Contact emails [email protected] >>>>> >>>>> Explainer None >>>>> >>>>> Specification https://wicg.github.io/private-network-access >>>>> >>>>> Summary >>>>> >>>>> We propose to block access to IP address 0.0.0.0 in advance of PNA >>>>> completely rolling out. Chrome is deprecating direct access to private >>>>> network endpoints from public websites as part of the Private Network >>>>> Access (PNA) specification ( >>>>> https://developer.chrome.com/blog/private-network-access-preflight/). >>>>> Services listening on the localhost (127.0.0.0/8) are considered >>>>> private according to the specification ( >>>>> https://wicg.github.io/private-network-access/#ip-address-space-heading). >>>>> Chrome's PNA protection (rolled out as part of >>>>> https://chromestatus.com/feature/5436853517811712) can be bypassed >>>>> using the IP address 0.0.0.0 to access services listening on the >>>>> localhost >>>>> on macOS and Linux. This can also be abused in DNS rebinding attacks >>>>> targeting a web application listening on the localhost. Since 0.0.0.0 is >>>>> not used in practice (and should not be used), but was overlooked during >>>>> https://chromestatus.com/feature/5436853517811712, we're deprecating >>>>> it separately from the rest of the private network requests deprecation. >>>>> This will be a Finch (experimental) rollout, rather than a Developer >>>>> Trial. >>>>> >>>>> >>>>> Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>>>> >>>>> Search tags security <https://chromestatus.com/features#tags:security> >>>>> , Private Network Access >>>>> <https://chromestatus.com/features#tags:Private%20Network%20Access> >>>>> >>>>> TAG review None >>>>> >>>>> TAG review status Not applicable >>>>> >>>>> Chromium Trial Name PrivateNetworkAccessNullIpAddressAllowed >>>>> >>>>> Origin Trial documentation link https://crbug.com/1300021 >>>>> >>>>> WebFeature UseCounter name kPrivateNetworkAccessNullIpAddress >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> None >>>>> >>>>> >>>>> *Gecko*: Closed Without a Position ( >>>>> https://github.com/mozilla/standards-positions/issues/143) >>>>> >>>>> *WebKit*: Support ( >>>>> https://github.com/WebKit/standards-positions/issues/163) >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> None >>>>> >>>>> >>>>> Goals for experimentation >>>>> >>>>> Ongoing technical constraints >>>>> >>>>> Eventually, all private network access will be limited according to >>>>> the developing Private Network Access spec. >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> None >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? No >>>>> >>>>> Flag name on chrome://flags block-null-ip-address >>>>> >>>>> Finch feature name PrivateNetworkAccessNullIpAddress >>>>> >>>>> Requires code in //chrome? False >>>>> >>>>> Tracking bug https://crbug.com/1300021 >>>>> >>>>> Estimated milestones >>>>> Shipping on desktop 133 >>>>> Origin trial desktop first 127 >>>>> Origin trial desktop last 133 >>>>> DevTrial on desktop 127 >>>>> Shipping on Android 133 >>>>> OriginTrial Android last 133 >>>>> OriginTrial Android first 127 >>>>> DevTrial on Android 127 >>>>> Shipping on WebView 133 >>>>> OriginTrial webView last 133 >>>>> OriginTrial webView first 127 >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5106143060033536 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/43180416-36bb-4de7-a664-3a3aed64da4an%40chromium.org.
