Hi there friendly WebKittens, I have been implementing the second step of Private Network Access (PNA) [1] in Chromium.
When a website served over HTTP from a public IP addres makes a subresource request to a private (RFC1918) IP address or localhost, Chrome will send a CORS preflight request with an extra PNA-specific header ahead of the actual request. This change also affects websites served from private IP addresses making subresource requests to localhost. The idea is to ask the target server whether it wants to opt into being contacted from the public internet. Most endpoints on the private network probably do not expect to receive such requests, and are often vulnerable to CSRF attacks. We have metrics in place telling us that ~1% of page visits at most make use of this feature, with a fairly clear weekly pattern suggesting use in work contexts. I am interested in WebKit's opinion on this matter. For more details, see the chromestatus entry [2]. Cheers, Titouan [1] https://wicg.github.io/private-network-access/ [2] https://chromestatus.com/feature/5737414355058688
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev