On Wed, Apr 12, 2023, 12:45 Yoav Weiss <[email protected]> wrote:
> > > On Wed, Apr 5, 2023 at 2:02 PM Jonathan Hao <[email protected]> wrote: > >> Sorry for the confusion about the spec name. We've recently changed our >> stance >> https://github.com/WICG/local-network-access/issues/91#issuecomment-1494704528 >> and the spec name is still unsettled until we hear back from other browser >> vendors. Both Private Network Access and Local Network Access mean the same >> thing for now. >> >> On Wed, Apr 5, 2023, 12:22 Jonathan Hao <[email protected]> wrote: >> >>> Note that Private Network Access is in the process of being renamed to >>> Local Network Access, so you may see inconsistent names for the time being. >>> >>> Explainer >>> >>> https://github.com/WICG/local-network-access/blob/main/explainer.md >>> >>> Specification >>> >>> https://wicg.github.io/local-network-access/#secure-context-restriction >>> <https://wicg.github.io/local-network-access> >>> >>> Design docs >>> >>> Local Network Access: Allow Potentially Trustworthy Same-Origin Fetches >>> <https://docs.google.com/document/d/1XopQKc6sR-2URgKqEleb-XNjcSPOjTI-E5qRxWGBuTY/edit#heading=h.y2euwddkcot> >>> >>> Private Network Access: Preflight requests for subresources >>> <https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit> >>> >>> Summary >>> >>> Allow same-origin local network fetches to potentially-trustworthy >>> origins and do not send preflights for them. We currently send preflights >>> before all local network requests, but ignore the results, as proposed in >>> Intent >>> to Ship: Private Network Access preflight requests for subresources >>> <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/72CK2mxD47c/m/5mkboUneAwAJ> >>> . >>> >> > Can you expand on this change? Would this result in not sending preflights > IFF their origin is the same as the document's origin? > Yes. Preflights will not be sent iff the origin is the same as the documents' origin and the origin is potentially trustworthy. Would this also work for embedded documents? (resulting in a single > preflight for the document's resource, but not subresource) > Or would it be restricted to cases where the user explicitly went to a > local network top-level document? (Or something else entirely, and I > misunderstood) > Yes it works for embedded documents too. The preflight for iframe navigation is being worked on separately in https://crbug.com/1291252. If the subresource is same origin to the embedded document then it doesn't require additional preflights. > > >> >>> Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>> >>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/572 >>> >>> TAG review statusIssues addressed >>> >>> Risks >>> >>> Interoperability and Compatibility >>> >>> This change reduces the compatibility risk of enforcing preflight >>> results on private network requests as we now send fewer preflights for >>> private network requests, so it’s less likely to break websites. >>> >>> Gecko: No signal about this specific change. >>> >>> WebKit: No signal about this specific change. >>> >>> Web developers: No signal about this specific change, but they should >>> be happy since this reduces compatibility risks. >>> >>> Other signals: >>> >>> >>> Ergonomics >>> >>> None. >>> >>> >>> Activation >>> >>> We plan to ship this change directly to M114 as this relaxes the >>> previous restrictions. >>> >>> Security >>> >>> This change is limited to potentially trustworthy origins. Proof of >>> certificate protects users from DNS rebinding. >>> >>> WebView application risks >>> >>> There’s no plan to ship Local Network Access on WebView. >>> >>> >>> >>> Debuggability >>> >>> Relevant information (client and resource IP address space) is already >>> piped into the DevTools network panel. Deprecation warnings and errors will >>> be surfaced in the DevTools issues panel explaining the problem when it >>> arises. >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)?No >>> >>> Not on Android WebView given previous difficulty in supporting PNA >>> changes due to the lack of support for deprecation trials. Support for >>> WebView will be considered separately. >>> >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?No >>> >>> DevTrial instructionsNo DevTrial for this change >>> >>> Flag name >>> >>> LocalNetworkAccessAllowPotentiallyTrustworthySameOrigin >>> >>> Requires code in //chrome? >>> >>> Only for metric logging >>> >>> Tracking bug >>> >>> https://crbug.com/1382068 >>> >>> Launch bug >>> >>> https://crbug.com/1274149 >>> >>> >>> Estimated milestones >>> DevTrial on desktop 114 >>> DevTrial on Android 114 >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> >>> None >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5737414355058688 >>> >>> Links to previous Intent discussions >>> Intent to prototype: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/ArrhiKB8XF0/m/cGO-5B1IAwAJ >>> Intent to prototype (all preflights): >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ >>> Intent to Experiment (all preflights): >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2Bew8hADZkdQ3AO6P9WzfGuzLPp9JjJZqztV5oZmaK8oQ%40mail.gmail.com >>> >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>.v >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jGAcTV4CUKKwsYYfnQRiQ_W6KK9L4OQ5uNHNGn3WMhZ5Q%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jGAcTV4CUKKwsYYfnQRiQ_W6KK9L4OQ5uNHNGn3WMhZ5Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2BeCVFCbq8G-%2BYXWDC8wK7ozWAzawXcxMe%3D_GwycHBRVQ%40mail.gmail.com.
