LGTM3 On Thu, Apr 27, 2023 at 7:14 AM Mike Taylor <miketa...@chromium.org> wrote:
> LGTM2 (sorry for the delay, it seems this fell out of our review queue). > On 4/27/23 9:56 AM, Jonathan Hao wrote: > > Hi Yoav, > > It's been 2 weeks but no other API owners have replied. Do you know if > there's any blockers? Should we ping the other API owners or could you > help us? > > Best, > Jonathan > > On Wed, Apr 12, 2023 at 1:26 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> LGTM1 >> >> Thanks for explaining! :) >> >> On Wed, Apr 12, 2023 at 2:24 PM Jonathan Hao <p...@chromium.org> wrote: >> >>> >>> >>> On Wed, Apr 12, 2023, 12:45 Yoav Weiss <yoavwe...@chromium.org> wrote: >>> >>>> >>>> >>>> On Wed, Apr 5, 2023 at 2:02 PM Jonathan Hao <p...@chromium.org> wrote: >>>> >>>>> Sorry for the confusion about the spec name. We've recently changed >>>>> our stance >>>>> https://github.com/WICG/local-network-access/issues/91#issuecomment-1494704528 >>>>> and the spec name is still unsettled until we hear back from other browser >>>>> vendors. Both Private Network Access and Local Network Access mean the >>>>> same >>>>> thing for now. >>>>> >>>>> On Wed, Apr 5, 2023, 12:22 Jonathan Hao <p...@chromium.org> wrote: >>>>> >>>>>> Note that Private Network Access is in the process of being renamed >>>>>> to Local Network Access, so you may see inconsistent names for the time >>>>>> being. Explainer >>>>>> >>>>>> https://github.com/WICG/local-network-access/blob/main/explainer.md >>>>>> >>>>>> Specification >>>>>> >>>>>> >>>>>> https://wicg.github.io/local-network-access/#secure-context-restriction >>>>>> <https://wicg.github.io/local-network-access> >>>>>> >>>>>> Design docs >>>>>> >>>>>> Local Network Access: Allow Potentially Trustworthy Same-Origin >>>>>> Fetches >>>>>> <https://docs.google.com/document/d/1XopQKc6sR-2URgKqEleb-XNjcSPOjTI-E5qRxWGBuTY/edit#heading=h.y2euwddkcot> >>>>>> >>>>>> Private Network Access: Preflight requests for subresources >>>>>> <https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit> >>>>>> >>>>>> Summary >>>>>> >>>>>> Allow same-origin local network fetches to potentially-trustworthy >>>>>> origins and do not send preflights for them. We currently send preflights >>>>>> before all local network requests, but ignore the results, as proposed >>>>>> in Intent >>>>>> to Ship: Private Network Access preflight requests for subresources >>>>>> <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/72CK2mxD47c/m/5mkboUneAwAJ> >>>>>> . >>>>>> >>>>> >>>> Can you expand on this change? Would this result in not sending >>>> preflights IFF their origin is the same as the document's origin? >>>> >>> >>> Yes. Preflights will not be sent iff the origin is the same as the >>> documents' origin and the origin is potentially trustworthy. >>> >>> Would this also work for embedded documents? (resulting in a single >>>> preflight for the document's resource, but not subresource) >>>> Or would it be restricted to cases where the user explicitly went to a >>>> local network top-level document? (Or something else entirely, and I >>>> misunderstood) >>>> >>> >>> Yes it works for embedded documents too. The preflight for iframe >>> navigation is being worked on separately in https://crbug.com/1291252. >>> If the subresource is same origin to the embedded document then it doesn't >>> require additional preflights. >>> >>>> >>>> >>>>> >>>>>> Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess >>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >>>>>> >>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/572 >>>>>> >>>>>> TAG review status Issues addressed >>>>>> >>>>>> Risks >>>>>> >>>>>> Interoperability and Compatibility >>>>>> >>>>>> This change reduces the compatibility risk of enforcing preflight >>>>>> results on private network requests as we now send fewer preflights for >>>>>> private network requests, so it’s less likely to break websites. >>>>>> >>>>>> Gecko: No signal about this specific change. >>>>>> >>>>>> WebKit: No signal about this specific change. >>>>>> >>>>>> Web developers: No signal about this specific change, but they >>>>>> should be happy since this reduces compatibility risks. >>>>>> >>>>>> Other signals: >>>>>> >>>>>> >>>>>> Ergonomics >>>>>> >>>>>> None. >>>>>> >>>>>> >>>>>> Activation >>>>>> >>>>>> We plan to ship this change directly to M114 as this relaxes the >>>>>> previous restrictions. >>>>>> >>>>>> Security >>>>>> >>>>>> This change is limited to potentially trustworthy origins. Proof of >>>>>> certificate protects users from DNS rebinding. >>>>>> >>>>>> WebView application risks >>>>>> >>>>>> There’s no plan to ship Local Network Access on WebView. >>>>>> >>>>>> >>>>>> Debuggability >>>>>> >>>>>> Relevant information (client and resource IP address space) is >>>>>> already piped into the DevTools network panel. Deprecation warnings and >>>>>> errors will be surfaced in the DevTools issues panel explaining the >>>>>> problem >>>>>> when it arises. >>>>>> >>>>>> >>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? No >>>>>> >>>>>> Not on Android WebView given previous difficulty in supporting PNA >>>>>> changes due to the lack of support for deprecation trials. Support for >>>>>> WebView will be considered separately. >>>>>> >>>>>> >>>>>> Is this feature fully tested by web-platform-tests >>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>> ? No >>>>>> >>>>>> DevTrial instructions No DevTrial for this change >>>>>> >>>>>> Flag name >>>>>> >>>>>> LocalNetworkAccessAllowPotentiallyTrustworthySameOrigin >>>>>> >>>>>> Requires code in //chrome? >>>>>> >>>>>> Only for metric logging >>>>>> >>>>>> Tracking bug >>>>>> >>>>>> https://crbug.com/1382068 >>>>>> >>>>>> Launch bug >>>>>> >>>>>> https://crbug.com/1274149 >>>>>> >>>>>> >>>>>> Estimated milestones >>>>>> DevTrial on desktop 114 >>>>>> DevTrial on Android 114 >>>>>> Anticipated spec changes >>>>>> >>>>>> Open questions about a feature may be a source of future web compat >>>>>> or interop issues. Please list open issues (e.g. links to known github >>>>>> issues in the project for the feature specification) whose resolution may >>>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>>> of >>>>>> the API in a non-backward-compatible way). >>>>>> >>>>>> None >>>>>> >>>>>> Link to entry on the Chrome Platform Status >>>>>> https://chromestatus.com/feature/5737414355058688 >>>>>> >>>>>> Links to previous Intent discussions >>>>>> Intent to prototype: >>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/ArrhiKB8XF0/m/cGO-5B1IAwAJ >>>>>> Intent to prototype (all preflights): >>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ >>>>>> Intent to Experiment (all preflights): >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2Bew8hADZkdQ3AO6P9WzfGuzLPp9JjJZqztV5oZmaK8oQ%40mail.gmail.com >>>>>> >>>>>> >>>>>> This intent message was generated by Chrome Platform Status >>>>>> <https://chromestatus.com/>.v >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jGAcTV4CUKKwsYYfnQRiQ_W6KK9L4OQ5uNHNGn3WMhZ5Q%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jGAcTV4CUKKwsYYfnQRiQ_W6KK9L4OQ5uNHNGn3WMhZ5Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiPLfTRMRBp56AY-DTAAke5kx6dKVfKqc8c6RXVr7tu3MqQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiPLfTRMRBp56AY-DTAAke5kx6dKVfKqc8c6RXVr7tu3MqQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/288b0a13-287a-0716-13a6-d878bbf73fe4%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/288b0a13-287a-0716-13a6-d878bbf73fe4%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9QUA6fiEt4tXurshEk-9bCP0N8H830iTKeOBvDhu2C_g%40mail.gmail.com.
