Contact emails ort...@chromium.org, cth...@chromium.org
Explainer https://github.com/explainers-by-googlers/local-network-access?tab=readme-ov-file#integration-with-webrtc Specification None Summary Restricts the ability to make requests to the user's local network using WebRTC, gated behind a permission prompt. A local network request is any request from a public website to a local IP address or loopback, or from a local website (eg intranet) to loopback. Gating the ability for websites to perform these requests behind a permission reduces the ability of sites to use these requests to fingerprint the user's local network. This permission is restricted to secure contexts. This work is adding to the Local Network Access Restrictions work here: https://chromestatus.com/feature/5152728072060928 Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess Motivation Currently public websites can use WebRTC to probe a user's local network, perform CSRF attacks against vulnerable local devices, and generally abuse the user's browser as a "confused deputy" that has access inside the user's local network or software on their local machine. Gating the ability for sites to make local network requests using WebRTC behind a permission prompt helps stop the exploitation of vulnerable devices and servers from the drive-by-web, and gives users control over which sites can probe their local network. Initial public proposal https://github.com/WICG/proposals/issues/198 TAG review None TAG review status Pending Risks Interoperability and Compatibility None Gecko: No signal WebKit: No signal Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests? No Flag name on about://flags None Finch feature name None Non-finch justification None Requires code in //chrome? True Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5065884686876672?gate=4924677637799936 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6837501a.2b0a0220.33c819.0adc.GAE%40google.com.
