[webkit-dev] Request for opinion: Private Network Access preflights

Titouan Rigoudy titouan at google.com
Wed Nov 10 06:31:20 PST 2021

Hi there friendly WebKittens,

I have been implementing the second step of Private Network Access (PNA)
[1] in Chromium.

When a website served over HTTP from a public IP addres makes a subresource
request to a private (RFC1918) IP address or localhost, Chrome will send a
CORS preflight request with an extra PNA-specific header ahead of the
actual request. This change also affects websites served from private IP
addresses making subresource requests to localhost.

The idea is to ask the target server whether it wants to opt into being
contacted from the public internet. Most endpoints on the private network
probably do not expect to receive such requests, and are often vulnerable
to CSRF attacks.

We have metrics in place telling us that ~1% of page visits at most make
use of this feature, with a fairly clear weekly pattern suggesting use in
work contexts.

I am interested in WebKit's opinion on this matter.

For more details, see the chromestatus entry [2].


[1] https://wicg.github.io/private-network-access/
[2] https://chromestatus.com/feature/5737414355058688
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20211110/5bcd1cb3/attachment.htm>

More information about the webkit-dev mailing list