LGTM3 On Wed, Jun 5, 2024 at 11:43 AM Yoav Weiss (@Shopify) < yoavwe...@chromium.org> wrote:
> LGTM2 > > On Wed, Jun 5, 2024 at 5:41 PM Daniel Bratell <brat...@sarasas.se> wrote: > >> LGTM1 >> >> /Daniel >> On 2024-06-03 18:03, 'David Adrian' via blink-dev wrote: >> >> Contact emails l...@chromium.org >> >> Explainer None >> >> Specification https://wicg.github.io/private-network-access >> >> Summary >> >> We propose to block access to IP address 0.0.0.0 in advance of PNA >> completely rolling out. Chrome is deprecating direct access to private >> network endpoints from public websites as part of the Private Network >> Access (PNA) specification ( >> https://developer.chrome.com/blog/private-network-access-preflight/). >> Services listening on the localhost (127.0.0.0/8) are considered private >> according to the specification ( >> https://wicg.github.io/private-network-access/#ip-address-space-heading). >> Chrome's PNA protection (rolled out as part of >> https://chromestatus.com/feature/5436853517811712) can be bypassed using >> the IP address 0.0.0.0 to access services listening on the localhost on >> macOS and Linux. This can also be abused in DNS rebinding attacks targeting >> a web application listening on the localhost. Since 0.0.0.0 is not used in >> practice (and should not be used), but was overlooked during >> https://chromestatus.com/feature/5436853517811712, we're deprecating it >> separately from the rest of the private network requests deprecation. This >> will be a Finch (experimental) rollout, rather than a Developer Trial. >> >> >> Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess> >> >> Search tags security <https://chromestatus.com/features#tags:security>, >> Private >> Network Access >> <https://chromestatus.com/features#tags:Private%20Network%20Access> >> >> TAG review None >> >> TAG review status Not applicable >> >> Chromium Trial Name PrivateNetworkAccessNullIpAddressAllowed >> >> Origin Trial documentation link https://crbug.com/1300021 >> >> WebFeature UseCounter name kPrivateNetworkAccessNullIpAddress >> >> Risks >> >> >> Interoperability and Compatibility >> >> None >> >> >> *Gecko*: Closed Without a Position ( >> https://github.com/mozilla/standards-positions/issues/143) >> >> *WebKit*: Support ( >> https://github.com/WebKit/standards-positions/issues/163) >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Goals for experimentation >> >> Ongoing technical constraints >> >> Eventually, all private network access will be limited according to the >> developing Private Network Access spec. >> >> >> Debuggability >> >> None >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? No >> >> Flag name on chrome://flags block-null-ip-address >> >> Finch feature name PrivateNetworkAccessNullIpAddress >> >> Requires code in //chrome? False >> >> Tracking bug https://crbug.com/1300021 >> >> Estimated milestones >> Shipping on desktop 133 >> Origin trial desktop first 127 >> Origin trial desktop last 133 >> DevTrial on desktop 127 >> Shipping on Android 133 >> OriginTrial Android last 133 >> OriginTrial Android first 127 >> DevTrial on Android 127 >> Shipping on WebView 133 >> OriginTrial webView last 133 >> OriginTrial webView first 127 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5106143060033536 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42L-7xt9YY-jmq-G4-nuitqELpgqgnvECkbCoPpAWWMMjw%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42L-7xt9YY-jmq-G4-nuitqELpgqgnvECkbCoPpAWWMMjw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/683cadae-9413-4125-9209-4ecfe1b812aa%40sarasas.se >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/683cadae-9413-4125-9209-4ecfe1b812aa%40sarasas.se?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSLHTiP3%2BEjLdMVnDK%3DD88Zixa_gDaHoS8t9MxoTTzP6Ow%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSLHTiP3%2BEjLdMVnDK%3DD88Zixa_gDaHoS8t9MxoTTzP6Ow%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2PvDrQT-keGf69Grsm_-JygRd9i9nDfmDqR-zGio-8TAQ%40mail.gmail.com.