Le lun. 3 mai 2021 à 14:58, Titouan Rigoudy via webkit-dev <webkit-dev@lists.webkit.org> a écrit :

Hi there friendly WebKittens,

I am gearing up to ship a small first step of Private Network Access [1] in Chromium. Roughly:

Websites served over HTTP from public IP addresses will no longer be allowed to make subresource fetches to private IP addresses (RFC1918 and/or localhost). Specifically, this restriction applies to non-secure contexts. Secure contexts are unaffected by this change.

This seems like a good move to me.

To be sure to understand, private IP address servers will not be able to opt-in to be accessed by any HTTP origin.

But they will be able to opt-in for specific HTTPS origins.

Is it correct?

We have metrics in place telling us that ~0.1% of page visits at most make use of this feature.

Do you know whether these 0.1% happens more often in corporate networks?

I am interested in WebKit's opinion on this matter.

For more details, see the chromestatus entry [2] and the Intent to Ship thread on blink-dev@chromium.org [3].

Cheers,
Titouan

[1] https://wicg.github.io/private-network-access/
[2] https://chromestatus.com/feature/5436853517811712
[3] https://groups.google.com/a/chromium.org/g/blink-dev/c/cPiRNjFoCag/m/DxEEN9-6BQAJ
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev