Sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. A private network request is any request from a public website to a private IP address or localhost, or from a private website (e.g. intranet) to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.
The main interoperability risk, as always, is if other browser engines do not implement this. Compat risk is straightforward: web servers that do not handle the new preflight requests will eventually break, once the feature ships. The plan to address this is as follows: 1. Send preflight request, ignore result, always send actual request. Failed preflight requests will result in a warning being shown in devtools. 2. Wait for 3 milestones. 3. Gate actual request on preflight request success, with deprecation trial for developers to buy some more time. 4. End deprecation trial 4 milestones later. UseCounters: https://chromestatus.com/metrics/feature/timeline/popularity/3753 https://chromestatus.com/metrics/feature/timeline/popularity/3755 https://chromestatus.com/metrics/feature/timeline/popularity/3757 The above measure pages that make at least one private network request for which we would now send a preflight request.
None.
Gating access to the private network overnight on preflight requests would likely result in widespread breakage. This is why the plan is to first send requests but not act on their result, giving server developers time to implement code handling these requests. Deprecation warnings will be surfaced in DevTools to alert web/client developers when the potential for breakage later on is detected. Enforcement will be turned on later (aiming for 3 milestones), along with a deprecation trial for impacted web developers to buy themselves some more time. Experience suggests a large fraction of developers will not notice the advance deprecation warnings until things break.
This change aims to be security-positive, preventing CSRF attacks against soft and juicy targets such as router admin interfaces. It does not cover navigation requests and workers, which are to be addressed in followup launches. DNS rebinding threats were of particular concern during the design of this feature: https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
Relevant information (client and resource IP address space) is already piped into the DevTools network panel. Deprecation warnings and errors will be surfaced in the DevTools issues panel explaining the problem when it arises.
Not on Android WebView given previous difficulty in supporting PNA changes due to the lack of support for deprecation trials. Support for WebView will be considered separately.
OriginTrial desktop last | 112 |
OriginTrial desktop first | 109 |
DevTrial on desktop | 98 |
OriginTrial Android last | 112 |
OriginTrial Android first | 109 |
DevTrial on Android | 98 |
I'm curious about the enterprise situation here. This seems to me
like something that could be in use in enterprise applications,
and we would not really know about it. ( https://www.chromium.org/developers/enterprise-changes/
is a good checklist for this)
Is there an enterprise policy for this that can be used for those that need the old behaviour, if not, could one be added?
Also, have you reached out to the enterprise community? (See link above)
/Daniel
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2BEcXFNTOfg829uzFh2YMov%3DTsmAzdP9VDn8MoLuHqjog%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9dKw30wJL3Aj5OOmYeT5Gxy1Bb7Yf%2B7VFEmAjAEyySFWw%40mail.gmail.com.
We (Yoav, Philip, MikeT and I) discussed this at the API OWNERS meeting today and we are still not certain about the compatibility situation. The use counters are lower after compensating for likely malicious usage but they are still not quite as low as we'd like them to be.
One thing we considered was whether the data you analyzed is representative for all platforms or whether Android is different in some way. We don't know. Do you know? If not, could you take a look at the Desktop data and check that it's the same pattern as for Android?
Another question is the likely impact of a failed request. That
is a question that is much harder to answer, but maybe you have an
idea?
A third question is whether the situation is likely to improve or worsen over time. Do you have any insights about that?
/Daniel
We (Yoav, Philip, MikeT and I) discussed this at the API OWNERS meeting today and we are still not certain about the compatibility situation. The use counters are lower after compensating for likely malicious usage but they are still not quite as low as we'd like them to be.
One thing we considered was whether the data you analyzed is representative for all platforms or whether Android is different in some way. We don't know. Do you know? If not, could you take a look at the Desktop data and check that it's the same pattern as for Android?
Another question is the likely impact of a failed request. That is a question that is much harder to answer, but maybe you have an idea?
A third question is whether the situation is likely to improve or worsen over time. Do you have any insights about that?
Thanks for getting back to us!On Wed, Oct 12, 2022 at 6:11 PM Daniel Bratell <brat...@gmail.com> wrote:We (Yoav, Philip, MikeT and I) discussed this at the API OWNERS meeting today and we are still not certain about the compatibility situation. The use counters are lower after compensating for likely malicious usage but they are still not quite as low as we'd like them to be.
One thing we considered was whether the data you analyzed is representative for all platforms or whether Android is different in some way. We don't know. Do you know? If not, could you take a look at the Desktop data and check that it's the same pattern as for Android?
It's a good question! I'll take a look and see what I can tell from the data.
Hi all,Thanks for your patience, I was travelling last week, then out for a couple days, and was unable to spend much time on this until now.On Wed, Oct 12, 2022 at 6:35 PM Titouan Rigoudy <tit...@google.com> wrote:Thanks for getting back to us!On Wed, Oct 12, 2022 at 6:11 PM Daniel Bratell <brat...@gmail.com> wrote:We (Yoav, Philip, MikeT and I) discussed this at the API OWNERS meeting today and we are still not certain about the compatibility situation. The use counters are lower after compensating for likely malicious usage but they are still not quite as low as we'd like them to be.
One thing we considered was whether the data you analyzed is representative for all platforms or whether Android is different in some way. We don't know. Do you know? If not, could you take a look at the Desktop data and check that it's the same pattern as for Android?
It's a good question! I'll take a look and see what I can tell from the data.The data on Desktop suggests that most usage is legitimate. ChromeOS usage is dominated by educational websites: school districts and the like. This could be driven by large providers like Clever or VPN usage. On Windows and Mac we mostly see intranet-looking websites (CRMs, portals). On Linux, we see some of the former and mostly the latter.On desktop platforms in general, the UseCounter indicates ~0.1% (Linux, ChromeOS) to ~0.2% (Windows, MacOS) of page visits are affected.If that's too much, we could consider shipping on Android first, where our previous analysis suggests the impact is an order of magnitude lower. We could also ship on desktop to beta only for a few milestones, in order to give websites more time to notice the change.
Cheers,TitouanAnother question is the likely impact of a failed request. That is a question that is much harder to answer, but maybe you have an idea?
In the case of malicious usage, a failed request is a win for user security and privacy! :) Seriously though, typically it means one of two things: a) the core functionality of the page does not work, because its whole purpose was to talk to a private network server, or b) some subresources on the page fail to load because of weirdness around servers with multiple IP addresses (some private, some public) or VPN usage (site used to be public, now is on a private IP). In the case of b), a reload usually fixes the issue.
A third question is whether the situation is likely to improve or worsen over time. Do you have any insights about that?
Optimistically, the situation should improve as a result of developers noticing the warnings we've been flashing in DevTools for a while.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9eW%3DAvds4MTkgez7rVdF9gt1GrD9kmL-YqQV4YBpGSniw%40mail.gmail.com.
On Wed, Nov 2, 2022 at 12:05 PM 'Titouan Rigoudy' via blink-dev <blin...@chromium.org> wrote:Hi all,Thanks for your patience, I was travelling last week, then out for a couple days, and was unable to spend much time on this until now.On Wed, Oct 12, 2022 at 6:35 PM Titouan Rigoudy <tit...@google.com> wrote:Thanks for getting back to us!On Wed, Oct 12, 2022 at 6:11 PM Daniel Bratell <brat...@gmail.com> wrote:We (Yoav, Philip, MikeT and I) discussed this at the API OWNERS meeting today and we are still not certain about the compatibility situation. The use counters are lower after compensating for likely malicious usage but they are still not quite as low as we'd like them to be.
One thing we considered was whether the data you analyzed is representative for all platforms or whether Android is different in some way. We don't know. Do you know? If not, could you take a look at the Desktop data and check that it's the same pattern as for Android?
It's a good question! I'll take a look and see what I can tell from the data.The data on Desktop suggests that most usage is legitimate. ChromeOS usage is dominated by educational websites: school districts and the like. This could be driven by large providers like Clever or VPN usage. On Windows and Mac we mostly see intranet-looking websites (CRMs, portals). On Linux, we see some of the former and mostly the latter.On desktop platforms in general, the UseCounter indicates ~0.1% (Linux, ChromeOS) to ~0.2% (Windows, MacOS) of page visits are affected.If that's too much, we could consider shipping on Android first, where our previous analysis suggests the impact is an order of magnitude lower. We could also ship on desktop to beta only for a few milestones, in order to give websites more time to notice the change.Yikes, that sure sounds like a huge amount of breakage, and so not something likely to survive a launch (partner escalations, negative press, etc.). In fact that seems suspiciously high to me. You're saying that one in 500 public Internet pages loaded on Windows has a legitimate need to load a sub-resource from a private IP space? That's a HUGE amount, hopefully it's over-counting somehow by a few orders of magnitude :-)In terms of risk reduction, launching first on Android is one option, but that sounds like it still has a non-trivial level of risk too. Here's a few other ideas to possibly help form a pragmatic launch strategy (mostly drawn from experience captured in bit.ly/blink-compat).
- Survey some of the legitimate looking cases in the data and see if you can reproduce the breakage. How severe is it in practice?
- Pick a random set of impacted sites and work with partnerships / gtech teams to do targeted outreach. Is it easy to get sites to fix issues? Can we learn anything about how to help make it easier for them, and/or how to filter out hits from our data that aren't actually a problem in practice?
- Do a test deployment to beta channel and see what level of feedback we get. Plan for a finch trial on stable of <1% of users (but IMHO current data suggests we're not ready even for a small stable trial).
- Ensure failures are hooked up to NEL (Network Error Logging) and work with some bigger enterprises (eg. Google) to monitor, classify and debug breakage in their environment