Request for Extend Deprecation Trial: Restrict "private network requests" for subresources from public websites to secure contexts.

108 views
Skip to first unread message

Yifan Luo

unread,
Oct 20, 2023, 12:16:58 PM10/20/23
to gle...@chromium.org, Jonathan Hao, Camille Lamy

Contact emails

cl...@chromium.orgmk...@chromium.orgva...@chromium.orgl...@chromium.org

Explainer

https://github.com/WICG/private-network-access/blob/master/explainer.md

Specification

https://wicg.github.io/private-network-access

Design docs


https://docs.google.com/document/d/1x1a1fQLOrcWogK3tpFBgQZQ5ZjcONTvD0IqqXkgrg5I/edit#heading=h.7nki9mck5t64

Summary

Requires that private network requests for subresources from public websites may only be initiated from a secure context. Examples include internet to intranet requests and internet to loopback requests. This is a first step towards fully implementing Private Network Access: https://wicg.github.io/private-network-access/



Blink component

Blink>SecurityFeature>CORS>PrivateNetworkAccess

TAG review

https://github.com/w3ctag/design-reviews/issues/572

TAG review status

Issues addressed

Chromium Trial Name

PrivateNetworkAccessNonSecureContextsAllowed

Link to origin trial feedback summary

https://docs.google.com/spreadsheets/d/1z5ZdCslNCnSVR7TNlUTHjSvunMFmT_9G9NOx8-O78-I/edit?usp=sharing&resourcekey=0-DITlG8tDuFDWHiBUHnlSoQ

Origin Trial documentation link

https://developer.chrome.com/blog/private-network-access-update/

WebFeature UseCounter name

kPrivateNetworkAccessNonSecureContextsAllowedDeprecationTrial

Risks



Interoperability and Compatibility

No interoperability risks. Compatibility risk is small but non-negligible. UseCounters show ~0.1% of page visits making use of this feature. Direct outreach to the largest users per UKM data revealed no objections to this launch. Rolling this deprecation out to beta per the previous I2S resulted in more feedback about the compatibility risk and the need for a time extension. See the following doc for an extensive discussion: https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit



Gecko: Positive (https://github.com/mozilla/standards-positions/issues/143) Tentatively positive, but no formal position yet.

WebKit: Positive (https://lists.webkit.org/pipermail/webkit-dev/2021-May/031837.html)

Web developers: Mixed signals (https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit) In our recent survey, most of websites are able to migrate if our new permission prompt can be landed as a way for them to relax mixed content checks. https://docs.google.com/spreadsheets/d/1z5ZdCslNCnSVR7TNlUTHjSvunMFmT_9G9NOx8-O78-I/edit?resourcekey=0-DITlG8tDuFDWHiBUHnlSoQ#gid=309953809 ------------ Some websites, broadly falling in the category of controller webapps for IoT devices, find this change incompatible with their use cases. While many use cases can be solved with specific workarounds, some still require further engagement.

Other signals:

Activation

Developers of non-secure sites that rely upon local servers will need to upgrade to HTTPS. This might cause some complications, as mixed-content checks will begin to apply. Chrome carves out HTTP access to loopback (as perhttps://w3c.github.io/webappsec-secure-contexts/#localhost), which is a release valve for folks who don't want to go through the effort of securely-distributing certs for local servers. The initial launch in M92 was delayed due to compatibility risks surfaced during the rollout to beta. See this doc for a lot more details: https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit



Security

This change should be security-positive.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Goals for experimentation



Reason this experiment is being extended

We intend to extend the deprecation trial until new permission prompt shipped, which is going to be on a origin trial from M120 to M123: https://groups.google.com/a/chromium.org/g/blink-dev/c/sL15TKGmXqM/m/rD0SF8sQBwAJ



Ongoing technical constraints

None.



Debuggability

When a request is made that violates this restriction and the feature is not enabled, three things happen: 1. A warning message is logged to the DevTools console. 2. A depreciation report is filed against the initiator website's Reporting API, if so configured. 3. An issue surfaced in the DevTools Issues panel. Likewise, when the feature is enabled and a request is blocked, the same happens except that the message logged to the DevTools console is an error and its text is slightly different. The devtools network panel shows information about the source and remote address spaces at play.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/fetch/private-network-access?label=master&label=experimental&aligned



Flag name on chrome://flags

BlockInsecurePrivateNetworkRequests

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

False

Tracking bug

https://crbug.com/986744

Launch bug

https://crbug.com/1129801

Estimated milestones

OriginTrial desktop last126
OriginTrial desktop first94
DevTrial on desktop86
OriginTrial Android last126
OriginTrial Android first94
DevTrial on Android86


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5436853517811712

Links to previous Intent discussions

Ready for Trial: https://groups.google.com/a/chromium.org/g/blink-dev/c/EeGg7TxW6U4/m/7ZvqAqHLAwAJ
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/vlDZXlPb00k/m/1421ACiuAAAJ
Intent to Extend Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/JPD001kqeck
Intent to Ship: https://groups.google.com/a/chromium.org/g/blink-dev/c/JPD001kqeck


This intent message was generated by Chrome Platform Status.

--
Yifan

Yifan Luo

unread,
Oct 26, 2023, 7:50:43 AM10/26/23
to blink-dev, Yifan Luo, Jonathan Hao, Camille Lamy
Dear API owners,


best,
Yifan

Mike Taylor

unread,
Oct 26, 2023, 11:27:35 AM10/26/23
to Yifan Luo, blink-dev, Jonathan Hao, Camille Lamy

LGTM to extend 3 more milestones: from 120 to 122 inclusive.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9957df9b-e495-4e24-b8eb-e306e6b83949n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages