Woops, the following line: > When a website served over HTTP from a public IP addres
Should instead read: "When a website served from a public IP address" There is no distinction between secure and non-secure contexts for this change. Cheers, Titouan On Wed, Nov 10, 2021 at 3:31 PM Titouan Rigoudy <tito...@google.com> wrote: > Hi there friendly WebKittens, > > I have been implementing the second step of Private Network Access (PNA) > [1] in Chromium. > > When a website served over HTTP from a public IP addres makes a > subresource request to a private (RFC1918) IP address or localhost, Chrome > will send a CORS preflight request with an extra PNA-specific header ahead > of the actual request. This change also affects websites served from > private IP addresses making subresource requests to localhost. > > The idea is to ask the target server whether it wants to opt into being > contacted from the public internet. Most endpoints on the private network > probably do not expect to receive such requests, and are often vulnerable > to CSRF attacks. > > We have metrics in place telling us that ~1% of page visits at most make > use of this feature, with a fairly clear weekly pattern suggesting use in > work contexts. > > I am interested in WebKit's opinion on this matter. > > For more details, see the chromestatus entry [2]. > > Cheers, > Titouan > > [1] https://wicg.github.io/private-network-access/ > [2] https://chromestatus.com/feature/5737414355058688 >
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev