[webkit-dev] Request for opinion: Private Network Access preflights
titouan at google.com
Wed Nov 10 06:33:54 PST 2021
Woops, the following line:
> When a website served over HTTP from a public IP addres
Should instead read:
"When a website served from a public IP address"
There is no distinction between secure and non-secure contexts for this
On Wed, Nov 10, 2021 at 3:31 PM Titouan Rigoudy <titouan at google.com> wrote:
> Hi there friendly WebKittens,
> I have been implementing the second step of Private Network Access (PNA)
>  in Chromium.
> When a website served over HTTP from a public IP addres makes a
> subresource request to a private (RFC1918) IP address or localhost, Chrome
> will send a CORS preflight request with an extra PNA-specific header ahead
> of the actual request. This change also affects websites served from
> private IP addresses making subresource requests to localhost.
> The idea is to ask the target server whether it wants to opt into being
> contacted from the public internet. Most endpoints on the private network
> probably do not expect to receive such requests, and are often vulnerable
> to CSRF attacks.
> We have metrics in place telling us that ~1% of page visits at most make
> use of this feature, with a fairly clear weekly pattern suggesting use in
> work contexts.
> I am interested in WebKit's opinion on this matter.
> For more details, see the chromestatus entry .
>  https://wicg.github.io/private-network-access/
>  https://chromestatus.com/feature/5737414355058688
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev