Intent to Ship: Private Network Access restrictions for automotive
Jonathan Hao
Contact emails
ph...@chromium.org
Explainer
https://github.com/WICG/private-network-access/blob/main/explainer.md
Specification
https://github.com/WICG/private-network-access
Design docs
https://docs.google.com/document/d/1ozjh-G6faEEkgVp__mjq6c_4U93sS4kK4zoelTE7Awg/edit?usp=sharing
Summary
Enforce (instead of just warn) Private Network Access restrictions on Chrome for Android Automotive (if BuildInfo::is_automotive), including: - Private Network Access preflight requests for subresources. See https://chromestatus.com/feature/5737414355058688, and - Private Network Access for Workers. See https://chromestatus.com/feature/5742979561029632
Blink component
Blink>SecurityFeature>CORS>PrivateNetworkAccess
TAG review
https://github.com/w3ctag/design-reviews/issues/572
TAG review status
Issues addressed
Origin Trial documentation link
https://github.com/WICG/private-network-access/blob/main/explainer.md
Risks
Interoperability and Compatibility
Android Automotive is going to be a new platform, so no websites should rely on making private network requests yet. And our purpose is to ship this from the beginning to avoid future compatibility risks.
Gecko: Positive (https://github.com/mozilla/standards-positions/issues/143)
WebKit: Positive (https://github.com/WebKit/standards-positions/issues/163)
Web developers: Mixed signals Anecdotal evidence so far suggests that most web developers are OK with this new requirement, though some do not control the target endpoints and would be negatively impacted.
Other signals:
Android Automotive is going to be a new platform, so no websites should rely on making private network requests yet. And our purpose is to ship this from the beginning to avoid future compatibility risks.
Gecko: Positive (https://github.com/mozilla/standards-positions/issues/143)
WebKit: Positive (https://github.com/WebKit/standards-positions/issues/163)
Web developers: Mixed signals Anecdotal evidence so far suggests that most web developers are OK with this new requirement, though some do not control the target endpoints and would be negatively impacted.
Other signals:
Security
This change aims to be security-positive, preventing CSRF attacks against soft and juicy targets such as router admin interfaces.
It does not cover navigation requests, which are to be addressed in followup launches.
DNS rebinding threats were of particular concern during the design of this feature: https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9
This change aims to be security-positive, preventing CSRF attacks against soft and juicy targets such as router admin interfaces. It does not cover navigation requests, which are to be addressed in followup launches. DNS rebinding threats were of particular concern during the design of this feature: https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
Relevant information (client and resource IP address space) is already piped into the DevTools network panel. Deprecation warnings and errors will be surfaced in the DevTools issues panel explaining the problem when it arises.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No
Is this feature fully tested by web-platform-tests?
Yes
Flag name on chrome://flags
None
Finch feature name
PrivateNetworkAccessRestrictionsForAutomotive
Requires code in //chrome?
False
Estimated milestones
| Shipping on Android (only when is_automotive=true) | 119 |
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
NoneLink to entry on the Chrome Platform Status
https://chromestatus.com/feature/5082807021338624
Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/MO2HmKaFe8c/m/vljPBcxdAQAJ
This intent message was generated by Chrome Platform Status.
Mike Taylor
LGTM1. Curious to know (but happy to not know) how many local
servers are running in my car...
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2BAu2epCdGTM-VgyBXj61C%2BJ4WUv3WTO9SZ_OAeaf2JmQ%40mail.gmail.com.
Yoav Weiss
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bfda4093-340b-4dfe-b98c-95564743309e%40chromium.org.
Chris Harrelson
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXGiaEPvgV1hddsL%3D7unBKpnYVwkwfk%3DYFpCrR4DZA8XQ%40mail.gmail.com.