Intent to Prototype: PNA permission prompt for non-fetch requests

205 views
Skip to first unread message

Yifan Luo

unread,
Feb 29, 2024, 10:52:44 AMFeb 29
to gle...@chromium.org

Contact emails

l...@chromium.org

Explainer

https://github.com/WICG/private-network-access/blob/main/permission_prompt/explariner_non-fetch_requests.md

Specification

https://wicg.github.io/private-network-access

Summary

A new Content Security Policy `private-address-space` and `local-address-space` to let all documents declare their IP address space ahead of time.



Blink component

Blink>SecurityFeature>CORS>PrivateNetworkAccess

Motivation

To enhance private network security, we need a solution that extends beyond the current fetch-focused Private Network Access permission.



Initial public proposal

https://docs.google.com/document/d/1YjcxNnrnp0BZb1suZI7mXbyjK1wM2M36aPkkbNRN3JY/edit?resourcekey=0-7DoGGwNK5d8n75paVuSFHg

TAG review

None

TAG review status

Pending

Risks



Interoperability and Compatibility

None



Gecko: Positive (https://github.com/mozilla/standards-positions/issues/143)

WebKit: Positive (https://github.com/WebKit/standards-positions/issues/163)

Web developers: Positive

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

No

Flag name on chrome://flags

None

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

False

Tracking bug

https://g-issues.chromium.org/issues/327602976

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5112291503898624

This intent message was generated by Chrome Platform Status.

--
Yifan

Domenic Denicola

unread,
Mar 3, 2024, 11:37:18 PMMar 3
to Yifan Luo, gle...@chromium.org
It's not clear what this intent or explainer means by "non-fetch requests". https://github.com/WICG/private-network-access/issues/129

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU_JsZW4MwABUgzpARnwFfmjXmYcGswNibWCWALejeRpyA%40mail.gmail.com.

Yifan Luo

unread,
Mar 4, 2024, 5:22:06 AMMar 4
to blink-dev, dom...@chromium.org, gle...@chromium.org, Yifan Luo
Maybe I need a better naming. The original PNA permission prompt requires developers to manually add a new fetch option "targetAddressSpace". So for the non-fetch requests, e.g. iframes, image elements, etc., we attempt to let websites to claim the targetAddressSpace in an earlier stage, which is as a new content security policy.

Yifan Luo

unread,
Mar 6, 2024, 11:34:01 AMMar 6
to blink-dev, Yifan Luo, dom...@chromium.org, gle...@chromium.org
I updated the name to "Content Security Policy for PNA permission prompt".

Intent to Prototype: Content Security Policy for PNA permission prompt

Contact emails
l...@chromium.org

Explainerhttps://github.com/WICG/private-network-access/blob/main/permission_prompt/explariner_content_security_policy.md

Specificationhttps://wicg.github.io/private-network-access


Summary

A new Content Security Policy `private-address-space` and `local-address-space` to let all documents declare their IP address space ahead of time.



Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess


Motivation

To enhance private network security, we need a solution that extends beyond the current fetch-focused Private Network Access permission.



Initial public proposalhttps://docs.google.com/document/d/1YjcxNnrnp0BZb1suZI7mXbyjK1wM2M36aPkkbNRN3JY/edit?resourcekey=0-7DoGGwNK5d8n75paVuSFHg

TAG reviewNone

TAG review statusPending

Risks


Interoperability and Compatibility

None



Gecko: Positive (https://github.com/mozilla/standards-positions/issues/143)

WebKit: Positive (https://github.com/WebKit/standards-positions/issues/163)

Web developers: Positive

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?No

Flag name on chrome://flagsNone

Finch feature nameNone

Non-finch justificationNone

Requires code in //chrome?False

Tracking bughttps://g-issues.chromium.org/issues/327602976


Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5112291503898624

Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/bz97-foS2Lo


This intent message was generated by Chrome Platform Status.

Domenic Denicola

unread,
Mar 6, 2024, 6:55:18 PMMar 6
to Yifan Luo, blink-dev, dom...@chromium.org
Thank you; that helps a lot!
Reply all
Reply to author
Forward
0 new messages