[webkit-dev] Request for opinion: Private Network Access preflights

Titouan Rigoudy titouan at google.com
Wed Nov 10 06:33:54 PST 2021

Woops, the following line:

> When a website served over HTTP from a public IP addres

Should instead read:

"When a website served from a public IP address"

There is no distinction between secure and non-secure contexts for this


On Wed, Nov 10, 2021 at 3:31 PM Titouan Rigoudy <titouan at google.com> wrote:

> Hi there friendly WebKittens,
> I have been implementing the second step of Private Network Access (PNA)
> [1] in Chromium.
> When a website served over HTTP from a public IP addres makes a
> subresource request to a private (RFC1918) IP address or localhost, Chrome
> will send a CORS preflight request with an extra PNA-specific header ahead
> of the actual request. This change also affects websites served from
> private IP addresses making subresource requests to localhost.
> The idea is to ask the target server whether it wants to opt into being
> contacted from the public internet. Most endpoints on the private network
> probably do not expect to receive such requests, and are often vulnerable
> to CSRF attacks.
> We have metrics in place telling us that ~1% of page visits at most make
> use of this feature, with a fairly clear weekly pattern suggesting use in
> work contexts.
> I am interested in WebKit's opinion on this matter.
> For more details, see the chromestatus entry [2].
> Cheers,
> Titouan
> [1] https://wicg.github.io/private-network-access/
> [2] https://chromestatus.com/feature/5737414355058688
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20211110/41ba0d35/attachment.htm>

More information about the webkit-dev mailing list