It's about time.
https://arstechnica.com/information-technology/2022/01/new-chrome-security-measure-aims-to-curtail-an-entire-class-of-web-attack/
For more than a decade, the Internet has remained vulnerable to a class of attacks that uses browsers as a beachhead for accessing
routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.
Starting in Chrome version 98, the browser will begin relaying requests when public websites want to access endpoints inside the
private network of the person visiting the site. For the time being, requests that fail won't prevent the connections from
happening. Instead, they'll only be logged. Somewhere around Chrome 101—assuming the results of this trial run don't indicate
major parts of the Internet will be broken—it will be mandatory for public sites to have explicit permission before they can
access endpoints behind the browser.
The planned deprecation of this access comes as Google enables a new specification known as private network access
<https://wicg.github.io/private-network-access/>, which permits public websites to access internal network resources only after
the sites have explicitly requested it and the browser grants the request. PNA communications are sent using the CORS, or
Cross-Origin Resource Sharing, protocol. Under the scheme, the public site sends a preflight request in the form of the new header
|Access-Control-Request-Private-Network: true|. For the request to be granted, the browser must respond with the corresponding
header |Access-Control-Allow-Private-Network: true|.
--
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:[email protected] aim://kimholburn
skype://kholburn - PGP Public Key on request
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
