Sorry, the ChromeStatus labels for things are a little out of sync with the launching-features documentation at the moment. I believe that you are on this step of the process: https://www.chromium.org/blink/launching-features/#deprecate Which corresponds to the "Write up plan" stage in chromestatus.
At a high level, the deprecation process is intended to be front-loaded with the most scrutiny and coordination happening during the planning stage. Thanks, jason! On Tuesday, June 4, 2024 at 11:30:47 AM UTC-7 David Adrian wrote: > Ah, I got them on the "Write up plan" stage accidentally. Also, you are > correct that Debuggability has not responded yet and was still Blue. My > apologies. > > Should I ask for approvals on a different stage? None of the stages on > Deprecations seem to match an Intent to Deprecate, rather than a Developer > Trial or a traditional original trial. > > On Tue, Jun 4, 2024 at 1:14 PM Daniel Bratell <[email protected]> wrote: > >> If so, it's not visible to me. They are all shown as grey, i.e. not >> started. Is there maybe more than one chromestatus entry and the review was >> done somewhere else? >> >> /Daniel >> On 2024-06-04 16:20, David Adrian wrote: >> >> > Can you please start (or possibly N/A) the >> Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus? >> >> I believe it already has all the pils approved. >> >> On Tue, Jun 4, 2024 at 3:18 AM Daniel Bratell <[email protected]> wrote: >> >>> Can you please start (or possibly N/A) the >>> Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus? >>> >>> /Daniel >>> On 2024-06-03 21:56, 'David Adrian' via blink-dev wrote: >>> >>> > Can you please elaborate on the analysis: how low is the usage and how >>> did you check that the use is malware? >>> >>> The Blink.UseCounter.Feature for PrivateNetworkAccessNullIpAddress shows >>> <https://uma.googleplex.com/p/chrome/timeline_v2?sid=a4f412aa940bd3dd7b2bc6c960c2d91d> >>> >>> below 0.001% on all platforms. >>> >>> We've had multiple reports of malware leveraging this to attack specific >>> developer tooling frameworks, e.g. https://crbug.com/40058874. >>> >>> > Also, just to confirm, this is an intent to deprecate and remove but >>> you're planning on rolling out the removal gradually via finch, right? >>> >>> Correct. >>> >>> On Mon, Jun 3, 2024 at 1:25 PM Vladimir Levin <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev < >>>> [email protected]> wrote: >>>> >>>>> Chrome Status doesn't generate emails for the deprecation trails, only >>>>> developer trials, so I've repurposed that here. This is a Finch managed >>>>> rollout, not a developer opt-in, due to the extremely low usage that >>>>> seems >>>>> to be almost entirely malware. >>>>> >>>> >>>> Can you please elaborate on the analysis: how low is the usage and how >>>> did you check that the use is malware? >>>> >>>> Also, just to confirm, this is an intent to deprecate and remove but >>>> you're planning on rolling out the removal gradually via finch, right? >>>> >>>> Thanks! >>>> Vlad >>>> >>>> >>>>> >>>>> On Mon, Jun 3, 2024 at 12:03 PM David Adrian <[email protected]> >>>>> wrote: >>>>> >>>>>> Contact emails [email protected] >>>>>> >>>>>> Explainer None >>>>>> >>>>>> Specification https://wicg.github.io/private-network-access >>>>>> >>>>>> Summary >>>>>> >>>>>> We propose to block access to IP address 0.0.0.0 in advance of PNA >>>>>> completely rolling out. Chrome is deprecating direct access to private >>>>>> network endpoints from public websites as part of the Private Network >>>>>> Access (PNA) specification ( >>>>>> https://developer.chrome.com/blog/private-network-access-preflight/). >>>>>> Services listening on the localhost (127.0.0.0/8) are considered >>>>>> private according to the specification ( >>>>>> https://wicg.github.io/private-network-access/#ip-address-space-heading). >>>>>> >>>>>> Chrome's PNA protection (rolled out as part of >>>>>> https://chromestatus.com/feature/5436853517811712) can be bypassed >>>>>> using the IP address 0.0.0.0 to access services listening on the >>>>>> localhost >>>>>> on macOS and Linux. This can also be abused in DNS rebinding attacks >>>>>> targeting a web application listening on the localhost. Since 0.0.0.0 is >>>>>> not used in practice (and should not be used), but was overlooked during >>>>>> https://chromestatus.com/feature/5436853517811712, we're deprecating >>>>>> it separately from the rest of the private network requests deprecation. >>>>>> This will be a Finch (experimental) rollout, rather than a Developer >>>>>> Trial. >>>>>> >>>>>> >>>>>> Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess >>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>>>>> >>>>>> Search tags security >>>>>> <https://chromestatus.com/features#tags:security>, Private Network >>>>>> Access >>>>>> <https://chromestatus.com/features#tags:Private%20Network%20Access> >>>>>> >>>>>> TAG review None >>>>>> >>>>>> TAG review status Not applicable >>>>>> >>>>>> Chromium Trial Name PrivateNetworkAccessNullIpAddressAllowed >>>>>> >>>>>> Origin Trial documentation link https://crbug.com/1300021 >>>>>> >>>>>> WebFeature UseCounter name kPrivateNetworkAccessNullIpAddress >>>>>> >>>>>> Risks >>>>>> >>>>>> >>>>>> Interoperability and Compatibility >>>>>> >>>>>> None >>>>>> >>>>>> >>>>>> *Gecko*: Closed Without a Position ( >>>>>> https://github.com/mozilla/standards-positions/issues/143) >>>>>> >>>>>> *WebKit*: Support ( >>>>>> https://github.com/WebKit/standards-positions/issues/163) >>>>>> >>>>>> *Web developers*: No signals >>>>>> >>>>>> *Other signals*: >>>>>> >>>>>> WebView application risks >>>>>> >>>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>>> that it has potentially high risk for Android WebView-based applications? >>>>>> >>>>>> None >>>>>> >>>>>> >>>>>> Goals for experimentation >>>>>> >>>>>> Ongoing technical constraints >>>>>> >>>>>> Eventually, all private network access will be limited according to >>>>>> the developing Private Network Access spec. >>>>>> >>>>>> >>>>>> Debuggability >>>>>> >>>>>> None >>>>>> >>>>>> >>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? Yes >>>>>> >>>>>> Is this feature fully tested by web-platform-tests >>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>> ? No >>>>>> >>>>>> Flag name on chrome://flags block-null-ip-address >>>>>> >>>>>> Finch feature name PrivateNetworkAccessNullIpAddress >>>>>> >>>>>> Requires code in //chrome? False >>>>>> >>>>>> Tracking bug https://crbug.com/1300021 >>>>>> >>>>>> Estimated milestones >>>>>> Shipping on desktop 133 >>>>>> Origin trial desktop first 127 >>>>>> Origin trial desktop last 133 >>>>>> DevTrial on desktop 127 >>>>>> Shipping on Android 133 >>>>>> OriginTrial Android last 133 >>>>>> OriginTrial Android first 127 >>>>>> DevTrial on Android 127 >>>>>> Shipping on WebView 133 >>>>>> OriginTrial webView last 133 >>>>>> OriginTrial webView first 127 >>>>>> >>>>>> Link to entry on the Chrome Platform Status >>>>>> https://chromestatus.com/feature/5106143060033536 >>>>>> >>>>>> This intent message was generated by Chrome Platform Status >>>>>> <https://chromestatus.com/>. >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d9c056f3-9418-47f0-9f6f-98a10bae268bn%40chromium.org.
