Hi there friendly WebKittens,
I am gearing up to ship a small first step of Private Network Access [1] in Chromium. Roughly:
Websites served over HTTP from public IP addresses will no longer be allowed to make subresource fetches to private IP addresses (RFC1918 and/or localhost). Specifically, this restriction applies to non-secure contexts. Secure contexts are unaffected by this change.
This seems like a good move to me.
To be sure to understand, private IP address servers will not be able to opt-in to be accessed by any HTTP origin.
But they will be able to opt-in for specific HTTPS origins.
Is it correct?
That's the intended end state. I have not implemented the CORS preflight logic needed for target websites to opt in. So, when we ship this:
- private IP address servers will not be fetchable from any HTTP origins (precisely: non-secure contexts)
- but they remain fetchable with no change at all from HTTPS origins (precisely: secure contexts)
We have metrics in place telling us that ~0.1% of page visits at most make use of this feature.
Do you know whether these 0.1% happens more often in corporate networks?
While we have seen some instances that seem to fit the Intranet bill, our fine-grained metrics have shown that this feature in small amounts on a wide variety of websites, most of which are public.
Cheers,
Titouan