Intent to Prototype: Deprecate 0.0.0.0 for Private Network Access

128 views
Skip to first unread message

Yifan Luo

unread,
Nov 16, 2023, 7:10:41 AM11/16/23
to gle...@chromium.org, Camille Lamy, Jonathan Hao

Contact emails

l...@chromium.org

Explainer

None

Specification

https://wicg.github.io/private-network-access

Summary

We propose to block access to IP address 0.0.0.0. Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification (https://developer.chrome.com/blog/private-network-access-preflight/). Services listening on the localhost (127.0.0.0/8) are considered private according to the specification (https://wicg.github.io/private-network-access/#ip-address-space-heading). Chrome's PNA protection can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux. This can also be abused in DNS rebinding attacks targeting a web application listening on the localhost.



Blink component

Blink>SecurityFeature>CORS>PrivateNetworkAccess

Motivation

Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification (https://developer.chrome.com/blog/private-network-access-preflight/). Services listening on the localhost (127.0.0.0/8) are considered private according to the specification (https://wicg.github.io/private-network-access/#ip-address-space-heading). Chrome's PNA protection can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux. This can also be abused in DNS rebinding attacks targeting a web application listening on the localhost. See more: https://crbug.com/1300021



Initial public proposal

None

Search tags

securityPrivate Network Access

TAG review

None

TAG review status

Not applicable

Chromium Trial Name

PrivateNetworkAccessNullIpAddressAllowed

Origin Trial documentation link

https://crbug.com/1300021

WebFeature UseCounter name

kPrivateNetworkAccessNullIpAddress

Risks



Interoperability and Compatibility

None



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

No

Flag name on chrome://flags

block-null-ip-address

Finch feature name

PrivateNetworkAccessNullIpAddress

Requires code in //chrome?

False

Tracking bug

https://crbug.com/1300021

Estimated milestones

OriginTrial desktop last123
OriginTrial desktop first121


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5106143060033536

This intent message was generated by Chrome Platform Status.

Reply all
Reply to author
Forward
0 new messages