Titouan, Will the default for the runtime flag be 'Enabled' in 98?
The DevTrial number should reflect when the flag was first available. 'Shipping' refers to when it can be used in production without web developers or users doing anything. This can mean the flag was removed or it can mean the flag's default was changed to 'Enabled'. Joe Joe Medley | Technical Writer, Chrome DevRel | jmed...@google.com | 816-678-7195 *If an API's not documented it doesn't exist.* On Mon, Nov 29, 2021 at 7:37 AM 'Titouan Rigoudy' via blink-dev < blink-dev@chromium.org> wrote: > Contact emailstito...@chromium.org, v...@chromium.org, cl...@chromium.org > > Explainer > https://github.com/WICG/private-network-access/blob/main/explainer.md > > Specificationhttps://wicg.github.io/private-network-access/ > > Design docs > > https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit > > Summary > > Sends a CORS preflight request ahead of any private network requests for > subresources, asking for explicit permission from the target server. A > private network request is any request from a public website to a private > IP address or localhost, or from a private website (e.g. intranet) to > localhost. Sending a preflight request mitigates the risk of cross-site > request forgery attacks against private network devices such as routers, > which are often not prepared to defend against this threat. > > > Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/572 > > TAG review statusPending > > Risks > > > Interoperability and Compatibility > > The main interoperability risk, as always, is if other browser engines do > not implement this. Compat risk is straightforward: web servers that do not > handle the new preflight requests will eventually break, once the feature > ships. The plan to address this is as follows: 1. Send preflight request, > ignore result, always send actual request. Failed preflight requests will > result in a warning being shown in devtools. 2. Wait for 3 milestones. 3. > Gate actual request on preflight request success, with deprecation trial > for developers to buy some more time. 4. End deprecation trial 4 milestones > later. UseCounters: > https://chromestatus.com/metrics/feature/timeline/popularity/3753 > https://chromestatus.com/metrics/feature/timeline/popularity/3755 > https://chromestatus.com/metrics/feature/timeline/popularity/3757 The > above measure pages that make at least one private network request for > which we would now send a preflight request. > > > Gecko: Worth prototyping ( > https://github.com/mozilla/standards-positions/issues/143) > > WebKit: No signal ( > https://lists.webkit.org/pipermail/webkit-dev/2021-November/032040.html) > Pending response. > > Web developers: No signals Anecdotal evidence so far suggests that most > web developers are OK with this new requirement, though some do not control > the target endpoints and would be negatively impacted. > > Other signals: > > Ergonomics > > None. > > > Activation > > Gating access to the private network overnight on preflight requests would > likely result in widespread breakage. This is why the plan is to first send > requests but not act on their result, giving server developers time to > implement code handling these requests. Deprecation warnings will be > surfaced in DevTools to alert web/client developers when the potential for > breakage later on is detected. Enforcement will be turned on later (aiming > for 3 milestones), along with a deprecation trial for impacted web > developers to buy themselves some more time. Experience suggests a large > fraction of developers will not notice the advance deprecation warnings > until things break. > > > Security > > This change aims to be security-positive, preventing CSRF attacks against > soft and juicy targets such as router admin interfaces. DNS rebinding > threats were of particular concern during the design of this feature: > https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9 > > > Debuggability > > Relevant information (client and resource IP address space) is already > piped into the DevTools network panel. Deprecation warnings and errors will > be surfaced in the DevTools issues panel explaining the problem when it > arises. > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ?Yes > > DevTrial instructions > https://github.com/WICG/private-network-access/blob/main/HOWTO.md > > Flag namePrivateNetworkAccessRespectPreflightResults > > Requires code in //chrome?False > > Tracking bughttps://crbug.com/591068 > > Launch bughttps://crbug.com/1274149 > > Estimated milestones > DevTrial on desktop 98 > DevTrial on android 98 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5737414355058688 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ > > > This intent message was generated by Chrome Platform Status > <https://www.chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9fdAK%2BnrTfUzug8ub_DhV_LE0b7XrgZ7j5%2Bj_BHtW-FXg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9fdAK%2BnrTfUzug8ub_DhV_LE0b7XrgZ7j5%2Bj_BHtW-FXg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJUhtG_D0ntmxE_LtL-kY1iTw-JYfj28WX5zuKbWXEd%2B5w9Kdw%40mail.gmail.com.
