Thanks for the pointer! I've reached out and will see what I can do. Cheers, Titouan
On Wed, Dec 1, 2021 at 3:21 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > > > On Wed, Dec 1, 2021 at 2:43 PM Titouan Rigoudy <tito...@google.com> wrote: > >> Thanks for the response Yoav, answers inline. >> >> On Wed, Dec 1, 2021 at 1:22 PM Yoav Weiss <yoavwe...@chromium.org> wrote: >> >>> >>> >>> On Monday, November 29, 2021 at 4:37:24 PM UTC+1 Titouan Rigoudy wrote: >>> >>>> Contact emailstito...@chromium.org, v...@chromium.org, >>>> cl...@chromium.org >>>> >>>> Explainer >>>> https://github.com/WICG/private-network-access/blob/main/explainer.md >>>> >>>> Specificationhttps://wicg.github.io/private-network-access/ >>>> >>>> Design docs >>>> >>>> https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit >>>> >>>> Summary >>>> >>>> Sends a CORS preflight request ahead of any private network requests >>>> for subresources, asking for explicit permission from the target server. A >>>> private network request is any request from a public website to a private >>>> IP address or localhost, or from a private website (e.g. intranet) to >>>> localhost. Sending a preflight request mitigates the risk of cross-site >>>> request forgery attacks against private network devices such as routers, >>>> which are often not prepared to defend against this threat. >>>> >>>> >>>> Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>>> >>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/572 >>>> >>>> TAG review statusPending >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> The main interoperability risk, as always, is if other browser engines >>>> do not implement this. Compat risk is straightforward: web servers that do >>>> not handle the new preflight requests will eventually break, once the >>>> feature ships. The plan to address this is as follows: 1. Send preflight >>>> request, ignore result, always send actual request. Failed preflight >>>> requests will result in a warning being shown in devtools. >>>> >>> >>> Would that include deprecation reports? >>> >> >> Not so far. Blink is not made aware of the warnings yet, they go from the >> network service to the browser process and then straight to devtools. More >> wiring would be needed for Blink to notice the warning and send a >> deprecation report. >> > > > https://groups.google.com/a/chromium.org/g/blink-dev/c/xWVtdGDLz_Q/m/kyofZuRfBAAJ > may be a relevant conversation on that front. It may be worthwhile to talk > to Andrew to see what they did on that front. > > >> >> >>> >>> >> 2. Wait for 3 milestones. 3. Gate actual request on preflight request >>>> success, with deprecation trial for developers to buy some more time. >>>> >>> >>> We'd also need to communicate this widely in order to get relevant >>> developers to sign up for the deprecation trial. UKM investigation can help >>> us focus efforts on that front. >>> >> >> That is true. I am planning to write a blog post on web.dev or the >> chrome blog to help raise awareness. >> >> 4. End deprecation trial 4 milestones later. UseCounters: >>>> https://chromestatus.com/metrics/feature/timeline/popularity/3753 >>>> https://chromestatus.com/metrics/feature/timeline/popularity/3755 >>>> https://chromestatus.com/metrics/feature/timeline/popularity/3757 >>>> >>> >>> That's a lot of usage :/ I remember you did a bunch of UKM >>> investigations in the past. Did that include this case as well? >>> >> >> I did not look at these metrics during my previous UKM analysis - I was >> focusing on non-secure contexts initiating private network requests. I can >> look into them again however, and try to reach out to the biggest users >> before enforcement is turned on. >> >> Cheers, >> Titouan >> >> >>> The above measure pages that make at least one private network request >>>> for which we would now send a preflight request. >>>> >>>> >>>> Gecko: Worth prototyping ( >>>> https://github.com/mozilla/standards-positions/issues/143) >>>> >>>> WebKit: No signal ( >>>> https://lists.webkit.org/pipermail/webkit-dev/2021-November/032040.html) >>>> Pending response. >>>> >>>> Web developers: No signals Anecdotal evidence so far suggests that >>>> most web developers are OK with this new requirement, though some do not >>>> control the target endpoints and would be negatively impacted. >>>> >>>> Other signals: >>>> >>>> Ergonomics >>>> >>>> None. >>>> >>>> >>>> Activation >>>> >>>> Gating access to the private network overnight on preflight requests >>>> would likely result in widespread breakage. This is why the plan is to >>>> first send requests but not act on their result, giving server developers >>>> time to implement code handling these requests. Deprecation warnings will >>>> be surfaced in DevTools to alert web/client developers when the potential >>>> for breakage later on is detected. Enforcement will be turned on later >>>> (aiming for 3 milestones), along with a deprecation trial for impacted web >>>> developers to buy themselves some more time. Experience suggests a large >>>> fraction of developers will not notice the advance deprecation warnings >>>> until things break. >>>> >>>> >>>> Security >>>> >>>> This change aims to be security-positive, preventing CSRF attacks >>>> against soft and juicy targets such as router admin interfaces. DNS >>>> rebinding threats were of particular concern during the design of this >>>> feature: >>>> https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9 >>>> >>>> >>>> Debuggability >>>> >>>> Relevant information (client and resource IP address space) is already >>>> piped into the DevTools network panel. Deprecation warnings and errors will >>>> be surfaced in the DevTools issues panel explaining the problem when it >>>> arises. >>>> >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>> ?Yes >>>> >>>> DevTrial instructions >>>> https://github.com/WICG/private-network-access/blob/main/HOWTO.md >>>> >>>> Flag namePrivateNetworkAccessRespectPreflightResults >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bughttps://crbug.com/591068 >>>> >>>> Launch bughttps://crbug.com/1274149 >>>> >>>> Estimated milestones >>>> DevTrial on desktop 98 >>>> DevTrial on android 98 >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5737414355058688 >>>> >>>> Links to previous Intent discussionsIntent to prototype: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ >>>> >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://www.chromestatus.com/>. >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9eR%3DCidUvL1VBea8iR2%2B-J6RD7smeRXv_g5LPQ40HGhKg%40mail.gmail.com.
