LGTM1
/Daniel
On 2024-06-03 18:03, 'David Adrian' via blink-dev wrote:
Contact emails
[email protected]
Explainer
None
Specification
https://wicg.github.io/private-network-access
Summary
We propose to block access to IP address 0.0.0.0 in advance of PNA
completely rolling out. Chrome is deprecating direct access to private
network endpoints from public websites as part of the Private Network
Access (PNA) specification
(https://developer.chrome.com/blog/private-network-access-preflight/).
Services listening on the localhost (127.0.0.0/8 <http://127.0.0.0/8>)
are considered private according to the specification
(https://wicg.github.io/private-network-access/#ip-address-space-heading).
Chrome's PNA protection (rolled out as part of
https://chromestatus.com/feature/5436853517811712) can be bypassed
using the IP address 0.0.0.0 to access services listening on the
localhost on macOS and Linux. This can also be abused in DNS rebinding
attacks targeting a web application listening on the localhost. Since
0.0.0.0 is not used in practice (and should not be used), but was
overlooked during https://chromestatus.com/feature/5436853517811712,
we're deprecating it separately from the rest of the private network
requests deprecation. This will be a Finch (experimental) rollout,
rather than a Developer Trial.
Blink component
Blink>SecurityFeature>CORS>PrivateNetworkAccess
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
Search tags
security <https://chromestatus.com/features#tags:security>, Private
Network Access
<https://chromestatus.com/features#tags:Private%20Network%20Access>
TAG review
None
TAG review status
Not applicable
Chromium Trial Name
PrivateNetworkAccessNullIpAddressAllowed
Origin Trial documentation link
https://crbug.com/1300021
WebFeature UseCounter name
kPrivateNetworkAccessNullIpAddress
Risks
Interoperability and Compatibility
None
/Gecko/: Closed Without a Position
(https://github.com/mozilla/standards-positions/issues/143)
/WebKit/: Support
(https://github.com/WebKit/standards-positions/issues/163)
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
None
Goals for experimentation
Ongoing technical constraints
Eventually, all private network access will be limited according to
the developing Private Network Access spec.
Debuggability
None
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name on chrome://flags
block-null-ip-address
Finch feature name
PrivateNetworkAccessNullIpAddress
Requires code in //chrome?
False
Tracking bug
https://crbug.com/1300021
Estimated milestones
Shipping on desktop 133
Origin trial desktop first 127
Origin trial desktop last 133
DevTrial on desktop 127
Shipping on Android 133
OriginTrial Android last 133
OriginTrial Android first 127
DevTrial on Android 127
Shipping on WebView 133
OriginTrial webView last 133
OriginTrial webView first 127
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5106143060033536
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42L-7xt9YY-jmq-G4-nuitqELpgqgnvECkbCoPpAWWMMjw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42L-7xt9YY-jmq-G4-nuitqELpgqgnvECkbCoPpAWWMMjw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/683cadae-9413-4125-9209-4ecfe1b812aa%40sarasas.se.
