Intent to Extend Deprecation Trial: Restrict "private network requests" for subresources to secure contexts.

88 views
Skip to first unread message

Titouan Rigoudy

unread,
Mar 18, 2022, 11:04:23 AM3/18/22
to blink-dev

Contact emails

tit...@chromium.orgcl...@chromium.orgmk...@chromium.orgva...@chromium.org

Explainer

https://github.com/WICG/private-network-access/blob/master/explainer.md

Specification

https://wicg.github.io/private-network-access/

Design docs

https://docs.google.com/document/d/1x1a1fQLOrcWogK3tpFBgQZQ5ZjcONTvD0IqqXkgrg5I/edit#heading=h.7nki9mck5t64

Summary

Requires that private network requests for subresources from public websites may only be initiated from a secure context. Examples include internet to intranet requests and internet to loopback requests. This is a first step towards fully implementing Private Network Access: https://wicg.github.io/private-network-access/


Reason this trial is being extended

The main workaround suggested to impacted websites was to use WebTransport's serverCertificateHashes feature. That is only shipping in Chrome 100; developers need more time to try it out. In addition, some issues have been identified with WebTransport that are prompting us to re-evaluate alternatives. In the meantime, keeping the trial going helps "staunch the bleeding" and provides a channel for discussing plans with affected web developers.

Previous experiment timeline: M94 to M101
Requested extension timeline: M102 to M106

Blink component

Blink>SecurityFeature>CORS>PrivateNetworkAccess

TAG review

https://github.com/w3ctag/design-reviews/issues/572

TAG review status

Issues addressed

Risks



Interoperability and Compatibility

No interoperability risks. Compatibility risk is the main issue. UseCounters show ~0.1% of page visit making use of this feature. A few hundred websites signed up to the deprecation trial. Rolling this deprecation out to beta per the previous I2S resulted in more feedback about the compatibility risk and the need for a time extension. See the following doc for an extensive discussion: https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit



Gecko: Worth prototyping (https://github.com/mozilla/standards-positions/issues/143)

WebKit: Positive (https://lists.webkit.org/pipermail/webkit-dev/2021-May/031837.html)

Web developers: Negative (https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit) Some websites, broadly falling in the category of controller webapps for IoT devices, find this change incompatible with their use cases. While some use cases can be solved with specific workarounds, many still require further engagement.

Activation

Developers of non-secure sites that rely upon local servers will need to upgrade to HTTPS. This might cause some complications, as mixed-content checks will begin to apply. Chrome carves out HTTP access to loopback (as per https://w3c.github.io/webappsec-secure-contexts/#localhost), which is a release valve for folks who don't want to go through the effort of securely-distributing certs for local servers. The initial launch in M92 was delayed due to compatibility risks surfaced during the rollout to beta. See this doc for a lot more details: https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit



Security

This change should be security-positive.



WebView Application Risks

This change is disabled on WebView due to its lack of support for origin/deprecation trials.



Debuggability

When a request is made that violates this restriction and the feature is not enabled, three things happen: 1. A warning message is logged to the DevTools console. 3. An issue is surfaced in the DevTools Issues panel. Likewise, when the feature is enabled and a request is blocked, the same happens except that the message logged to the DevTools console is an error and its text is slightly different. The devtools network panel shows information about the source and remote address spaces at play.



Is this feature fully tested by web-platform-tests?

Yes

Flag name

BlockInsecurePrivateNetworkRequests

Requires code in //chrome?

False

Tracking bug

https://crbug.com/986744

Launch bug

https://crbug.com/1129801

Yoav Weiss

unread,
Mar 18, 2022, 11:12:51 AM3/18/22
to Titouan Rigoudy, blink-dev
Can you remind me what's the exit strategy from this deprecation trial? Are we making progress on that front? Do we see any reduction in the number of properties that need this deprecation trial?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9cCT6C7RLunP_%3Da0nuE1iM5EP48SZp%2BQqmrqhfqQDCL-A%40mail.gmail.com.

Titouan Rigoudy

unread,
Mar 18, 2022, 12:29:35 PM3/18/22
to Yoav Weiss, blink-dev
The exit strategy so far was to let developers try their hand at the suggested workarounds and see whether those could support all legitimate use cases. Once that is the case, we can leave a fixed number of milestones for developers to adjust, then exit.

We have made progress on determining whether the main workaround (WebTransport) is a viable solution or not. Developers have tried to re-architect to use that instead, and reported issues related to first-time setup of IoT devices. We are discussing options that would allow those use cases to keep functioning. The leading contender seems to be some kind of permission prompt.

I will look into the deprecation trial signup data to see if there has been a reduction so far and report back.

Cheers,
Titouan

Titouan Rigoudy

unread,
Mar 22, 2022, 12:35:22 PM3/22/22
to Yoav Weiss, blink-dev
Just checked the most recent trial registration data, and it seems like the overwhelming majority of origins signed up for the trial in October are still signed up today. In addition, there are two thirds more new registrations.

Cheers,
Titouan

Yoav Weiss

unread,
Mar 23, 2022, 12:13:01 AM3/23/22
to Titouan Rigoudy, blink-dev
LGTM to extend till M106 (inclusive).


On Tue, Mar 22, 2022 at 5:35 PM Titouan Rigoudy <tit...@google.com> wrote:
Just checked the most recent trial registration data, and it seems like the overwhelming majority of origins signed up for the trial in October are still signed up today. In addition, there are two thirds more new registrations.

This shows on the one hand that the Deprecation Trial is still necessary, and on the other that the alternative path is not compelling enough just yet.


Cheers,
Titouan

On Fri, Mar 18, 2022 at 5:28 PM Titouan Rigoudy <tit...@google.com> wrote:
The exit strategy so far was to let developers try their hand at the suggested workarounds and see whether those could support all legitimate use cases. Once that is the case, we can leave a fixed number of milestones for developers to adjust, then exit.

That sounds reasonable.
 

We have made progress on determining whether the main workaround (WebTransport) is a viable solution or not. Developers have tried to re-architect to use that instead, and reported issues related to first-time setup of IoT devices. We are discussing options that would allow those use cases to keep functioning. The leading contender seems to be some kind of permission prompt.

Thanks for working on making alternative paths viable!
Reply all
Reply to author
Forward
0 new messages