Contact emailsp...@chromium.org Explainer https://github.com/WICG/private-network-access/blob/main/explainer.md
Specificationhttps://github.com/WICG/private-network-access Design docs https://docs.google.com/document/d/1ozjh-G6faEEkgVp__mjq6c_4U93sS4kK4zoelTE7Awg/edit?usp=sharing Summary Enforce (instead of just warn) Private Network Access restrictions on Chrome for Android Automotive (if BuildInfo::is_automotive), including: - Private Network Access preflight requests for subresources. See https://chromestatus.com/feature/5737414355058688, and - Private Network Access for Workers. See https://chromestatus.com/feature/5742979561029632 Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/572 TAG review statusIssues addressed Origin Trial documentation link https://github.com/WICG/private-network-access/blob/main/explainer.md Risks Interoperability and Compatibility Android Automotive is going to be a new platform, so no websites should rely on making private network requests yet. And our purpose is to ship this from the beginning to avoid future compatibility risks. *Gecko*: Positive (https://github.com/mozilla/standards-positions/issues/143 ) *WebKit*: Positive (https://github.com/WebKit/standards-positions/issues/163 ) *Web developers*: Mixed signals Anecdotal evidence so far suggests that most web developers are OK with this new requirement, though some do not control the target endpoints and would be negatively impacted. *Other signals*: Security This change aims to be security-positive, preventing CSRF attacks against soft and juicy targets such as router admin interfaces. It does not cover navigation requests, which are to be addressed in followup launches. DNS rebinding threats were of particular concern during the design of this feature: https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9 WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability Relevant information (client and resource IP address space) is already piped into the DevTools network panel. Deprecation warnings and errors will be surfaced in the DevTools issues panel explaining the problem when it arises. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?No Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes Flag name on chrome://flagsNone Finch feature namePrivateNetworkAccessRestrictionsForAutomotive Requires code in //chrome?False Estimated milestones Shipping on Android (only when is_automotive=true) 119 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5082807021338624 Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/MO2HmKaFe8c/m/vljPBcxdAQAJ This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2BAu2epCdGTM-VgyBXj61C%2BJ4WUv3WTO9SZ_OAeaf2JmQ%40mail.gmail.com.
