Can you please start (or possibly N/A) the
Privacy/Security/Enterprise/Debuggability/Testing pills in Chromestatus?
/Daniel
On 2024-06-03 21:56, 'David Adrian' via blink-dev wrote:
> Can you please elaborate on the analysis: how low is the usage and
how did you check that the use is malware?
The Blink.UseCounter.Feature for PrivateNetworkAccessNullIpAddress
shows
<https://uma.googleplex.com/p/chrome/timeline_v2?sid=a4f412aa940bd3dd7b2bc6c960c2d91d>
below 0.001% on all platforms.
We've had multiple reports of malware leveraging this to attack
specific developer tooling frameworks, e.g. https://crbug.com/40058874.
> Also, just to confirm, this is an intent to deprecate and remove but
you're planning on rolling out the removal gradually via finch, right?
Correct.
On Mon, Jun 3, 2024 at 1:25 PM Vladimir Levin <vmp...@chromium.org> wrote:
On Mon, Jun 3, 2024 at 12:06 PM 'David Adrian' via blink-dev
<blink-dev@chromium.org> wrote:
Chrome Status doesn't generate emails for the deprecation
trails, only developer trials, so I've repurposed that here.
This is a Finch managed rollout, not a developer opt-in, due
to the extremely low usage that seems to be almost entirely
malware.
Can you please elaborate on the analysis: how low is the usage and
how did you check that the use is malware?
Also, just to confirm, this is an intent to deprecate and remove
but you're planning on rolling out the removal gradually via
finch, right?
Thanks!
Vlad
On Mon, Jun 3, 2024 at 12:03 PM David Adrian
<dadr...@google.com> wrote:
Contact emails
l...@chromium.org
Explainer
None
Specification
https://wicg.github.io/private-network-access
Summary
We propose to block access to IP address 0.0.0.0 in
advance of PNA completely rolling out. Chrome is
deprecating direct access to private network endpoints
from public websites as part of the Private Network Access
(PNA) specification
(https://developer.chrome.com/blog/private-network-access-preflight/).
Services listening on the localhost (127.0.0.0/8
<http://127.0.0.0/8>) are considered private according to
the specification
(https://wicg.github.io/private-network-access/#ip-address-space-heading).
Chrome's PNA protection (rolled out as part of
https://chromestatus.com/feature/5436853517811712) can be
bypassed using the IP address 0.0.0.0 to access services
listening on the localhost on macOS and Linux. This can
also be abused in DNS rebinding attacks targeting a web
application listening on the localhost. Since 0.0.0.0 is
not used in practice (and should not be used), but was
overlooked during
https://chromestatus.com/feature/5436853517811712, we're
deprecating it separately from the rest of the private
network requests deprecation. This will be a Finch
(experimental) rollout, rather than a Developer Trial.
Blink component
Blink>SecurityFeature>CORS>PrivateNetworkAccess
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
Search tags
security
<https://chromestatus.com/features#tags:security>, Private
Network Access
<https://chromestatus.com/features#tags:Private%20Network%20Access>
TAG review
None
TAG review status
Not applicable
Chromium Trial Name
PrivateNetworkAccessNullIpAddressAllowed
Origin Trial documentation link
https://crbug.com/1300021
WebFeature UseCounter name
kPrivateNetworkAccessNullIpAddress
Risks
Interoperability and Compatibility
None
/Gecko/: Closed Without a Position
(https://github.com/mozilla/standards-positions/issues/143)
/WebKit/: Support
(https://github.com/WebKit/standards-positions/issues/163)
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of existing
APIs, such that it has potentially high risk for Android
WebView-based applications?
None
Goals for experimentation
Ongoing technical constraints
Eventually, all private network access will be limited
according to the developing Private Network Access spec.
Debuggability
None
Will this feature be supported on all six Blink
platforms (Windows, Mac, Linux, ChromeOS, Android,
and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name on chrome://flags
block-null-ip-address
Finch feature name
PrivateNetworkAccessNullIpAddress
Requires code in //chrome?
False
Tracking bug
https://crbug.com/1300021
Estimated milestones
Shipping on desktop 133
Origin trial desktop first 127
Origin trial desktop last 133
DevTrial on desktop 127
Shipping on Android 133
OriginTrial Android last 133
OriginTrial Android first 127
DevTrial on Android 127
Shipping on WebView 133
OriginTrial webView last 133
OriginTrial webView first 127
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5106143060033536
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BQKMO3O3dgP-pRY-44xypbZ1CPsfiFjDGwcdrU0w0JqA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42KD_M%3DuYi%3DV4xusJg34EfGavVxpbHoOTQCj5UyxTeu0Uw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8f8b546d-9761-4683-9a5c-48662724b73b%40sarasas.se.
