On 6/4/24 6:26 AM, 'Kagami Rosylight' via blink-dev wrote:
> /Gecko/: Closed Without a Position
(https://github.com/mozilla/standards-positions/issues/143)
It looks like it's closed with position: "worth prototyping", though?
Or is there another issue that is closed without position?
I can see why that's confusing - it's labelled as "proposal appears
stale", but if you follow the linked PR
https://github.com/mozilla/standards-positions/pull/480 you can get to
the actual resolution.
On Monday, June 3, 2024 at 6:04:03 PM UTC+2 dad...@google.com wrote:
Contact emails
l...@chromium.org
Explainer
None
Specification
https://wicg.github.io/private-network-access
Summary
We propose to block access to IP address 0.0.0.0 in advance of PNA
completely rolling out. Chrome is deprecating direct access to
private network endpoints from public websites as part of the
Private Network Access (PNA) specification
(https://developer.chrome.com/blog/private-network-access-preflight/).
Services listening on the localhost (127.0.0.0/8
<http://127.0.0.0/8>) are considered private according to the
specification
(https://wicg.github.io/private-network-access/#ip-address-space-heading).
Chrome's PNA protection (rolled out as part of
https://chromestatus.com/feature/5436853517811712) can be bypassed
using the IP address 0.0.0.0 to access services listening on the
localhost on macOS and Linux. This can also be abused in DNS
rebinding attacks targeting a web application listening on the
localhost. Since 0.0.0.0 is not used in practice (and should not
be used), but was overlooked during
https://chromestatus.com/feature/5436853517811712, we're
deprecating it separately from the rest of the private network
requests deprecation. This will be a Finch (experimental) rollout,
rather than a Developer Trial.
Blink component
Blink>SecurityFeature>CORS>PrivateNetworkAccess
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
Search tags
security <https://chromestatus.com/features#tags:security>,
Private Network Access
<https://chromestatus.com/features#tags:Private%20Network%20Access>
TAG review
None
TAG review status
Not applicable
Chromium Trial Name
PrivateNetworkAccessNullIpAddressAllowed
Origin Trial documentation link
https://crbug.com/1300021
WebFeature UseCounter name
kPrivateNetworkAccessNullIpAddress
Risks
Interoperability and Compatibility
None
/Gecko/: Closed Without a Position
(https://github.com/mozilla/standards-positions/issues/143)
/WebKit/: Support
(https://github.com/WebKit/standards-positions/issues/163)
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?
None
Goals for experimentation
Ongoing technical constraints
Eventually, all private network access will be limited according
to the developing Private Network Access spec.
Debuggability
None
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name on chrome://flags
block-null-ip-address
Finch feature name
PrivateNetworkAccessNullIpAddress
Requires code in //chrome?
False
Tracking bug
https://crbug.com/1300021
Estimated milestones
Shipping on desktop 133
Origin trial desktop first 127
Origin trial desktop last 133
DevTrial on desktop 127
Shipping on Android 133
OriginTrial Android last 133
OriginTrial Android first 127
DevTrial on Android 127
Shipping on WebView 133
OriginTrial webView last 133
OriginTrial webView first 127
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5106143060033536
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1b0415c6-7195-4d70-b698-f8ec245e5796n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1b0415c6-7195-4d70-b698-f8ec245e5796n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/de789612-cb7b-46fb-8b8a-03fcaf5bb4f9%40chromium.org.
