Re: [blink-dev] Intent to Experiment: Private Network Access permission to relax mixed content

Mon, 23 Oct 2023 16:36:33 -0700 

Hi Yifan,
Could you please request Privacy, Security, and Debuggability reviews in the chromestatus entry? 

thanks,
Mike

On 10/20/23 9:49 AM, 'Yifan Luo' via blink-dev wrote:



        Contact emails

[email protected], [email protected]


        Explainer

https://github.com/iVanlIsh/private-network-access/blob/main/explainer.md


        Specification

https://wicg.github.io/private-network-access


        Design docs

https://docs.google.com/document/d/1Q18g4fZoDIYQ9IuxlZTaItgkzfiz_tCqaEAI8J3Y1WY/edit


        Summary


In order to establish connections to devices on a local network that 
do not have globally unique names, and therefore cannot obtain TLS 
certificates, this feature introduces a new option to `fetch()` to 
declare a developers' intent to talk to such a device, a new 
policy-controlled feature to gate each sites' access to this 
capability, and new headers for the server's preflight response to 
provide additional metadata.




        Blink component


Blink>SecurityFeature>CORS>PrivateNetworkAccess 
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>



        TAG review

https://github.com/w3ctag/design-reviews/issues/751


        TAG review status

Issues addressed


        Risks



        Interoperability and Compatibility



/Gecko/: No signal

/WebKit/: No signal


/Web developers/: Positive 
(https://github.com/WICG/private-network-access/issues/23)


/Other signals/:


        Ergonomics


This new feature requires users to click on the new permission. This 
may lead users to spamming on some websites. However, this is an 
intentional move to encourage the websites to provide security 
context. The origin trial also aimed to measure the frequency of users 
getting the permissions.




        Activation


No. This feature attempt to bring developers an easier way to restrict 
Private Network Access with secure context.




        Security

This is a security positive feature.



        WebView application risks


Does this intent deprecate or change behavior of existing APIs, such 
that it has potentially high risk for Android WebView-based applications?


None



        Goals for experimentation



        Ongoing technical constraints

None.



        Debuggability


Relevant information (client and resource IP address space) is already 
piped into the DevTools network panel. We’ll likely also represent the 
permission state in the settings pages.




        Will this feature be supported on all six Blink platforms
        (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No


Mac, Windows, Linux, Chrome OS, Fuchsia, Android, WebLayer. Not 
Android WebView because of the absence of deprecation trial 
integration (though that may be changing soon, see 
https://crbug.com/1308425). Not iOS because this requires changes in 
Blink and the network service, neither of which are used on iOS.




        Is this feature fully tested by web-platform-tests
        
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?

No


https://wpt.fyi/results/fetch/private-network-access/mixed-content-fetch.tentative.https.window.html?label=master&label=experimental&aligned&q=private-network-access 
<https://wpt.fyi/results/fetch/private-network-access/mixed-content-fetch.tentative.https.window.html?label=master&label=experimental&aligned&q=private-network-access>




        Flag name on chrome://flags



        Finch feature name

None


        Non-finch justification

None


        Requires code in //chrome?

True


        Tracking bug

https://crbug.com/1338439


        Estimated milestones

OriginTrial desktop last        123
OriginTrial desktop first       120



        Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5954091755241472


        Links to previous Intent discussions


Intent to prototype: 
https://groups.google.com/a/chromium.org/g/blink-dev/c/6MczoSFGiHo/m/IigYuhu7AwAJ



This intent message was generated by Chrome Platform Status 
<https://chromestatus.com/>.


--
Yifan
--

You received this message because you are subscribed to the Google 
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU_ZS1ibT9H7e5UmoUF2OfCUq5ocsDHaCoJ2rShmPmAejQ%40mail.gmail.com 
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU_ZS1ibT9H7e5UmoUF2OfCUq5ocsDHaCoJ2rShmPmAejQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.


--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4b07c47c-cab4-4949-b385-9b85c40d6b0d%40chromium.org.






















					Reply via email to