Ah, I got them on the "Write up plan" stage accidentally. Also, you are correct that Debuggability has not responded yet and was still Blue. My apologies.
Should I ask for approvals on a different stage? None of the stages on Deprecations seem to match an Intent to Deprecate, rather than a Developer Trial or a traditional original trial. On Tue, Jun 4, 2024 at 1:14 PM Daniel Bratell <[email protected]> wrote: > If so, it's not visible to me. They are all shown as grey, i.e. not > started. Is there maybe more than one chromestatus entry and the review was > done somewhere else? > > /Daniel > On 2024-06-04 16:20, David Adrian wrote: > > > Can you please start (or possibly N/A) the > Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus? > > I believe it already has all the pils approved. > > On Tue, Jun 4, 2024 at 3:18 AM Daniel Bratell <[email protected]> wrote: > >> Can you please start (or possibly N/A) the >> Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus? >> >> /Daniel >> On 2024-06-03 21:56, 'David Adrian' via blink-dev wrote: >> >> > Can you please elaborate on the analysis: how low is the usage and how >> did you check that the use is malware? >> >> The Blink.UseCounter.Feature for PrivateNetworkAccessNullIpAddress shows >> <https://uma.googleplex.com/p/chrome/timeline_v2?sid=a4f412aa940bd3dd7b2bc6c960c2d91d> >> below 0.001% on all platforms. >> >> We've had multiple reports of malware leveraging this to attack specific >> developer tooling frameworks, e.g. https://crbug.com/40058874. >> >> > Also, just to confirm, this is an intent to deprecate and remove but >> you're planning on rolling out the removal gradually via finch, right? >> >> Correct. >> >> On Mon, Jun 3, 2024 at 1:25 PM Vladimir Levin <[email protected]> >> wrote: >> >>> >>> >>> On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev < >>> [email protected]> wrote: >>> >>>> Chrome Status doesn't generate emails for the deprecation trails, only >>>> developer trials, so I've repurposed that here. This is a Finch managed >>>> rollout, not a developer opt-in, due to the extremely low usage that seems >>>> to be almost entirely malware. >>>> >>> >>> Can you please elaborate on the analysis: how low is the usage and how >>> did you check that the use is malware? >>> >>> Also, just to confirm, this is an intent to deprecate and remove but >>> you're planning on rolling out the removal gradually via finch, right? >>> >>> Thanks! >>> Vlad >>> >>> >>>> >>>> On Mon, Jun 3, 2024 at 12:03 PM David Adrian <[email protected]> >>>> wrote: >>>> >>>>> Contact emails [email protected] >>>>> >>>>> Explainer None >>>>> >>>>> Specification https://wicg.github.io/private-network-access >>>>> >>>>> Summary >>>>> >>>>> We propose to block access to IP address 0.0.0.0 in advance of PNA >>>>> completely rolling out. Chrome is deprecating direct access to private >>>>> network endpoints from public websites as part of the Private Network >>>>> Access (PNA) specification ( >>>>> https://developer.chrome.com/blog/private-network-access-preflight/). >>>>> Services listening on the localhost (127.0.0.0/8) are considered >>>>> private according to the specification ( >>>>> https://wicg.github.io/private-network-access/#ip-address-space-heading). >>>>> Chrome's PNA protection (rolled out as part of >>>>> https://chromestatus.com/feature/5436853517811712) can be bypassed >>>>> using the IP address 0.0.0.0 to access services listening on the localhost >>>>> on macOS and Linux. This can also be abused in DNS rebinding attacks >>>>> targeting a web application listening on the localhost. Since 0.0.0.0 is >>>>> not used in practice (and should not be used), but was overlooked during >>>>> https://chromestatus.com/feature/5436853517811712, we're deprecating >>>>> it separately from the rest of the private network requests deprecation. >>>>> This will be a Finch (experimental) rollout, rather than a Developer >>>>> Trial. >>>>> >>>>> >>>>> Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>>>> >>>>> Search tags security <https://chromestatus.com/features#tags:security> >>>>> , Private Network Access >>>>> <https://chromestatus.com/features#tags:Private%20Network%20Access> >>>>> >>>>> TAG review None >>>>> >>>>> TAG review status Not applicable >>>>> >>>>> Chromium Trial Name PrivateNetworkAccessNullIpAddressAllowed >>>>> >>>>> Origin Trial documentation link https://crbug.com/1300021 >>>>> >>>>> WebFeature UseCounter name kPrivateNetworkAccessNullIpAddress >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> None >>>>> >>>>> >>>>> *Gecko*: Closed Without a Position ( >>>>> https://github.com/mozilla/standards-positions/issues/143) >>>>> >>>>> *WebKit*: Support ( >>>>> https://github.com/WebKit/standards-positions/issues/163) >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> None >>>>> >>>>> >>>>> Goals for experimentation >>>>> >>>>> Ongoing technical constraints >>>>> >>>>> Eventually, all private network access will be limited according to >>>>> the developing Private Network Access spec. >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> None >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? No >>>>> >>>>> Flag name on chrome://flags block-null-ip-address >>>>> >>>>> Finch feature name PrivateNetworkAccessNullIpAddress >>>>> >>>>> Requires code in //chrome? False >>>>> >>>>> Tracking bug https://crbug.com/1300021 >>>>> >>>>> Estimated milestones >>>>> Shipping on desktop 133 >>>>> Origin trial desktop first 127 >>>>> Origin trial desktop last 133 >>>>> DevTrial on desktop 127 >>>>> Shipping on Android 133 >>>>> OriginTrial Android last 133 >>>>> OriginTrial Android first 127 >>>>> DevTrial on Android 127 >>>>> Shipping on WebView 133 >>>>> OriginTrial webView last 133 >>>>> OriginTrial webView first 127 >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5106143060033536 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42LBBfm3UZcxJ_QRko14dBQPP_w3BiPE6c3TnfdiirmKgg%40mail.gmail.com.
