The change in milestones won't affect your approvals to ship. :)
On 2/9/24 6:24 AM, Jonathan Hao wrote:
I just realized that we can still make M123 so I plan to do so unless
there are any objections.
On Thu, Feb 8, 2024 at 2:29 PM Jonathan Hao <p...@chromium.org> wrote:
Here's a public version of the design doc:
https://docs.google.com/document/d/1QyFqHCgZLmEfy0wbgXNgce9zKpZVaqSpQY3JleFWrk0/edit?usp=sharing
On Wed, Feb 7, 2024 at 5:22 PM Daniel Bratell
<bratel...@gmail.com> wrote:
LGTM3 to add a warning.
Normally we don't like open ended deprecation warnings, end,
which this is, but this should be a rare warning, except
possibly in enterprise situations, and even there, warnings
might trigger some feedback from a group that is normally not
aware of upcoming changes.
/Daniel
On 2024-02-07 14:40, Yoav Weiss (@Shopify) wrote:
LGTM2
On Fri, Feb 2, 2024 at 11:10 PM Mike Taylor
<miketa...@chromium.org> wrote:
Correction: LGTM1, conditioned on requesting Enterprise,
Debuggability, and Testing bits in chromestatus. :)
On 2/2/24 5:09 PM, Mike Taylor wrote:
LGTM1
On 2/2/24 11:17 AM, Jonathan Hao wrote:
Contact emails
p...@chromium.org
Explainer
https://github.com/WICG/private-network-access/blob/main/explainer.md
Specification
https://wicg.github.io/private-network-access
Design docs
https://docs.google.com/document/d/1UqkJsc2VZ4bXmZkVxh-EPyBFEtdxX9p2zX4sxzAj754/edit?usp=sharing&resourcekey=0-7cfhrTo57AElxA6M9EVScg
<https://docs.google.com/document/d/1UqkJsc2VZ4bXmZkVxh-EPyBFEtdxX9p2zX4sxzAj754/edit?usp=sharing&resourcekey=0-7cfhrTo57AElxA6M9EVScg>
Summary
Before a website A navigates to another site B in the
user's private network, this feature does the following:
1. Checks whether the request has been initiated from a
secure context
2. Sends a preflight request, and checks whether B
responds with a header that allows private network access.
The above checks are made to protect the user's private
network. There are already features for subresources
and workers, but this one is for navigation requests
specifically.
Since this feature is the "warning-only" mode, we do
not fail the requests if any of the checks fails.
Instead, a warning will be shown in the DevTools, to
help developers prepare for the coming enforcement.
Blink component
Blink>SecurityFeature>CORS>PrivateNetworkAccess
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
Motivation
To prevent malicious websites from pivoting through the
user agent's network position to attack devices and
services which reasonably assumed they were unreachable
from the Internet at large, by virtue of residing on
the user’s local intranet or the user's machine.
Initial public proposal
https://discourse.wicg.io/t/transfer-cors-rfc1918-and-hsts-priming-to-wicg/1726
TAG review
https://github.com/w3ctag/design-reviews/issues/572
TAG review status
Issues addressed
Risks
Interoperability and Compatibility
Since we don't enforce the checks and only show
warnings, there isn't any compatibility risks on the
client side. On the server side, it shouldn't pose any
risk either as the server can ignore the preflight
requests.
/Gecko/: Positive
(https://github.com/mozilla/standards-positions/issues/143)
https://mozilla.github.io/standards-positions/#cors-and-rfc1918
makes it a bit clearer that this is indeed positive (vs
the issue).
/WebKit/: Positive
(https://github.com/WebKit/standards-positions/issues/163)
Safari disagrees with the spec name and header names,
but still overall positive.
/Web developers/: Mixed signals Anecdotal evidence so
far suggests that most web developers are OK with this
new requirement, though some do not control the target
endpoints and would be negatively impacted.
/Other signals/:
Security
This change aims to be security-positive, preventing
CSRF attacks against soft and juicy targets such as
router admin interfaces. DNS rebinding threats were of
particular concern during the design of this feature:
https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?
None
Debuggability
Relevant information (client and resource IP address
space) is already piped into the DevTools network
panel. Deprecation warnings and errors will be surfaced
in the DevTools issues panel explaining the problem
when it arises.
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
https://wpt.fyi/results/fetch/private-network-access?q=fetch%2Fprivate-network-access&run_id=5090117631868928&run_id=6245938696814592&run_id=5769215446351872&run_id=5679819023974400
<https://wpt.fyi/results/fetch/private-network-access?q=fetch%2Fprivate-network-access&run_id=5090117631868928&run_id=6245938696814592&run_id=5769215446351872&run_id=5679819023974400>
Flag name on chrome://flags
None
Finch feature name
PrivateNetworkAccessForNavigations,
PrivateNetworkAccessForNavigationsWarningOnly
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1524350
Estimated milestones
Shipping on desktop 124
Shipping on Android 124
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/4869685172764672
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiPJ3_pVL7Tecn_3iKBMojOVPx8%3D%3DnCDQWRKetG_9WBxsWg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiPJ3_pVL7Tecn_3iKBMojOVPx8%3D%3DnCDQWRKetG_9WBxsWg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8f8b93f8-4358-4fdc-bfe2-d43cec3e37c1%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8f8b93f8-4358-4fdc-bfe2-d43cec3e37c1%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSLfMW08XDibmDKrCKkJOjyHj3B%2B3MsmQ4WnwxeoBk_wng%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSLfMW08XDibmDKrCKkJOjyHj3B%2B3MsmQ4WnwxeoBk_wng%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2ec27d14-67c0-494b-bc7b-5a82f48812bb%40chromium.org.