LGTM1 Thanks for explaining! :)
On Wed, Apr 12, 2023 at 2:24 PM Jonathan Hao <[email protected]> wrote: > > > On Wed, Apr 12, 2023, 12:45 Yoav Weiss <[email protected]> wrote: > >> >> >> On Wed, Apr 5, 2023 at 2:02 PM Jonathan Hao <[email protected]> wrote: >> >>> Sorry for the confusion about the spec name. We've recently changed our >>> stance >>> https://github.com/WICG/local-network-access/issues/91#issuecomment-1494704528 >>> and the spec name is still unsettled until we hear back from other browser >>> vendors. Both Private Network Access and Local Network Access mean the same >>> thing for now. >>> >>> On Wed, Apr 5, 2023, 12:22 Jonathan Hao <[email protected]> wrote: >>> >>>> Note that Private Network Access is in the process of being renamed to >>>> Local Network Access, so you may see inconsistent names for the time being. >>>> >>>> Explainer >>>> >>>> https://github.com/WICG/local-network-access/blob/main/explainer.md >>>> >>>> Specification >>>> >>>> https://wicg.github.io/local-network-access/#secure-context-restriction >>>> <https://wicg.github.io/local-network-access> >>>> >>>> Design docs >>>> >>>> Local Network Access: Allow Potentially Trustworthy Same-Origin Fetches >>>> <https://docs.google.com/document/d/1XopQKc6sR-2URgKqEleb-XNjcSPOjTI-E5qRxWGBuTY/edit#heading=h.y2euwddkcot> >>>> >>>> Private Network Access: Preflight requests for subresources >>>> <https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit> >>>> >>>> Summary >>>> >>>> Allow same-origin local network fetches to potentially-trustworthy >>>> origins and do not send preflights for them. We currently send preflights >>>> before all local network requests, but ignore the results, as proposed in >>>> Intent >>>> to Ship: Private Network Access preflight requests for subresources >>>> <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/72CK2mxD47c/m/5mkboUneAwAJ> >>>> . >>>> >>> >> Can you expand on this change? Would this result in not sending >> preflights IFF their origin is the same as the document's origin? >> > > Yes. Preflights will not be sent iff the origin is the same as the > documents' origin and the origin is potentially trustworthy. > > Would this also work for embedded documents? (resulting in a single >> preflight for the document's resource, but not subresource) >> Or would it be restricted to cases where the user explicitly went to a >> local network top-level document? (Or something else entirely, and I >> misunderstood) >> > > Yes it works for embedded documents too. The preflight for iframe > navigation is being worked on separately in https://crbug.com/1291252. > If the subresource is same origin to the embedded document then it doesn't > require additional preflights. > >> >> >>> >>>> Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>>> >>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/572 >>>> >>>> TAG review statusIssues addressed >>>> >>>> Risks >>>> >>>> Interoperability and Compatibility >>>> >>>> This change reduces the compatibility risk of enforcing preflight >>>> results on private network requests as we now send fewer preflights for >>>> private network requests, so it’s less likely to break websites. >>>> >>>> Gecko: No signal about this specific change. >>>> >>>> WebKit: No signal about this specific change. >>>> >>>> Web developers: No signal about this specific change, but they should >>>> be happy since this reduces compatibility risks. >>>> >>>> Other signals: >>>> >>>> >>>> Ergonomics >>>> >>>> None. >>>> >>>> >>>> Activation >>>> >>>> We plan to ship this change directly to M114 as this relaxes the >>>> previous restrictions. >>>> >>>> Security >>>> >>>> This change is limited to potentially trustworthy origins. Proof of >>>> certificate protects users from DNS rebinding. >>>> >>>> WebView application risks >>>> >>>> There’s no plan to ship Local Network Access on WebView. >>>> >>>> >>>> >>>> Debuggability >>>> >>>> Relevant information (client and resource IP address space) is already >>>> piped into the DevTools network panel. Deprecation warnings and errors will >>>> be surfaced in the DevTools issues panel explaining the problem when it >>>> arises. >>>> >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)?No >>>> >>>> Not on Android WebView given previous difficulty in supporting PNA >>>> changes due to the lack of support for deprecation trials. Support for >>>> WebView will be considered separately. >>>> >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?No >>>> >>>> DevTrial instructionsNo DevTrial for this change >>>> >>>> Flag name >>>> >>>> LocalNetworkAccessAllowPotentiallyTrustworthySameOrigin >>>> >>>> Requires code in //chrome? >>>> >>>> Only for metric logging >>>> >>>> Tracking bug >>>> >>>> https://crbug.com/1382068 >>>> >>>> Launch bug >>>> >>>> https://crbug.com/1274149 >>>> >>>> >>>> Estimated milestones >>>> DevTrial on desktop 114 >>>> DevTrial on Android 114 >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> >>>> None >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5737414355058688 >>>> >>>> Links to previous Intent discussions >>>> Intent to prototype: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/ArrhiKB8XF0/m/cGO-5B1IAwAJ >>>> Intent to prototype (all preflights): >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ >>>> Intent to Experiment (all preflights): >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2Bew8hADZkdQ3AO6P9WzfGuzLPp9JjJZqztV5oZmaK8oQ%40mail.gmail.com >>>> >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>.v >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jGAcTV4CUKKwsYYfnQRiQ_W6KK9L4OQ5uNHNGn3WMhZ5Q%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jGAcTV4CUKKwsYYfnQRiQ_W6KK9L4OQ5uNHNGn3WMhZ5Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfV0zZ9qXhdYCGMH7tiZh0UfY_WrEJ6vb488W5d%2BqPtO_g%40mail.gmail.com.
