Re: [webkit-dev] Request for opinion: Private Network Access secure context restriction
On Mon, May 3, 2021 at 3:38 PM youenn fablet wrote: > > > Le lun. 3 mai 2021 à 14:58, Titouan Rigoudy via webkit-dev < > webkit-dev@lists.webkit.org> a écrit : > >> Hi there friendly WebKittens, >> >> I am gearing up to ship a small first step of Private Network Access [1] >> in Chromium. Roughly: >> >> Websites served over HTTP from public IP addresses will no longer be >> allowed to make subresource fetches to private IP addresses (RFC1918 and/or >> localhost). Specifically, this restriction applies to non-secure contexts. >> Secure contexts are unaffected by this change. >> > > This seems like a good move to me. > To be sure to understand, private IP address servers will not be able to > opt-in to be accessed by any HTTP origin. > But they will be able to opt-in for specific HTTPS origins. > Is it correct? > That's the intended end state. I have not implemented the CORS preflight logic needed for target websites to opt in. So, when we ship this: - private IP address servers will not be fetchable from any HTTP origins (precisely: non-secure contexts) - but they remain fetchable with no change at all from HTTPS origins (precisely: secure contexts) > We have metrics in place telling us that ~0.1% of page visits at most make >> use of this feature. >> > > Do you know whether these 0.1% happens more often in corporate networks? > While we have seen some instances that seem to fit the Intranet bill, our fine-grained metrics have shown that this feature in small amounts on a wide variety of websites, most of which are public. Cheers, Titouan > >> I am interested in WebKit's opinion on this matter. >> >> For more details, see the chromestatus entry [2] and the Intent to Ship >> thread on blink-...@chromium.org [3]. >> >> Cheers, >> Titouan >> >> [1] https://wicg.github.io/private-network-access/ >> [2] https://chromestatus.com/feature/5436853517811712 >> [3] >> https://groups.google.com/a/chromium.org/g/blink-dev/c/cPiRNjFoCag/m/DxEEN9-6BQAJ >> ___ >> webkit-dev mailing list >> webkit-dev@lists.webkit.org >> https://lists.webkit.org/mailman/listinfo/webkit-dev >> > ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Request for opinion: Private Network Access secure context restriction
Le lun. 3 mai 2021 à 14:58, Titouan Rigoudy via webkit-dev < webkit-dev@lists.webkit.org> a écrit : > Hi there friendly WebKittens, > > I am gearing up to ship a small first step of Private Network Access [1] > in Chromium. Roughly: > > Websites served over HTTP from public IP addresses will no longer be > allowed to make subresource fetches to private IP addresses (RFC1918 and/or > localhost). Specifically, this restriction applies to non-secure contexts. > Secure contexts are unaffected by this change. > This seems like a good move to me. To be sure to understand, private IP address servers will not be able to opt-in to be accessed by any HTTP origin. But they will be able to opt-in for specific HTTPS origins. Is it correct? We have metrics in place telling us that ~0.1% of page visits at most make > use of this feature. > Do you know whether these 0.1% happens more often in corporate networks? > > I am interested in WebKit's opinion on this matter. > > For more details, see the chromestatus entry [2] and the Intent to Ship > thread on blink-...@chromium.org [3]. > > Cheers, > Titouan > > [1] https://wicg.github.io/private-network-access/ > [2] https://chromestatus.com/feature/5436853517811712 > [3] > https://groups.google.com/a/chromium.org/g/blink-dev/c/cPiRNjFoCag/m/DxEEN9-6BQAJ > ___ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev > ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
[webkit-dev] Request for opinion: Private Network Access secure context restriction
Hi there friendly WebKittens, I am gearing up to ship a small first step of Private Network Access [1] in Chromium. Roughly: Websites served over HTTP from public IP addresses will no longer be allowed to make subresource fetches to private IP addresses (RFC1918 and/or localhost). Specifically, this restriction applies to non-secure contexts. Secure contexts are unaffected by this change. We have metrics in place telling us that ~0.1% of page visits at most make use of this feature. I am interested in WebKit's opinion on this matter. For more details, see the chromestatus entry [2] and the Intent to Ship thread on blink-...@chromium.org [3]. Cheers, Titouan [1] https://wicg.github.io/private-network-access/ [2] https://chromestatus.com/feature/5436853517811712 [3] https://groups.google.com/a/chromium.org/g/blink-dev/c/cPiRNjFoCag/m/DxEEN9-6BQAJ ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev