[webkit-dev] Request for opinion: Private Network Access secure context restriction
titouan at google.com
Mon May 3 06:51:24 PDT 2021
On Mon, May 3, 2021 at 3:38 PM youenn fablet <youennf at gmail.com> wrote:
> Le lun. 3 mai 2021 à 14:58, Titouan Rigoudy via webkit-dev <
> webkit-dev at lists.webkit.org> a écrit :
>> Hi there friendly WebKittens,
>> I am gearing up to ship a small first step of Private Network Access 
>> in Chromium. Roughly:
>> Websites served over HTTP from public IP addresses will no longer be
>> allowed to make subresource fetches to private IP addresses (RFC1918 and/or
>> localhost). Specifically, this restriction applies to non-secure contexts.
>> Secure contexts are unaffected by this change.
> This seems like a good move to me.
> To be sure to understand, private IP address servers will not be able to
> opt-in to be accessed by any HTTP origin.
> But they will be able to opt-in for specific HTTPS origins.
> Is it correct?
That's the intended end state. I have not implemented the CORS preflight
logic needed for target websites to opt in. So, when we ship this:
- private IP address servers will not be fetchable from any HTTP origins
(precisely: non-secure contexts)
- but they remain fetchable with no change at all from HTTPS origins
(precisely: secure contexts)
> We have metrics in place telling us that ~0.1% of page visits at most make
>> use of this feature.
> Do you know whether these 0.1% happens more often in corporate networks?
While we have seen some instances that seem to fit the Intranet bill, our
fine-grained metrics have shown that this feature in small amounts on a
wide variety of websites, most of which are public.
>> I am interested in WebKit's opinion on this matter.
>> For more details, see the chromestatus entry  and the Intent to Ship
>> thread on blink-dev at chromium.org .
>>  https://wicg.github.io/private-network-access/
>>  https://chromestatus.com/feature/5436853517811712
>> webkit-dev mailing list
>> webkit-dev at lists.webkit.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev