We propose to block access to IP address 0.0.0.0. Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification (https://developer.chrome.com/blog/private-network-access-preflight/). Services listening on the localhost (127.0.0.0/8) are considered private according to the specification (https://wicg.github.io/private-network-access/#ip-address-space-heading). Chrome's PNA protection can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux. This can also be abused in DNS rebinding attacks targeting a web application listening on the localhost.
Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification (https://developer.chrome.com/blog/private-network-access-preflight/). Services listening on the localhost (127.0.0.0/8) are considered private according to the specification (https://wicg.github.io/private-network-access/#ip-address-space-heading). Chrome's PNA protection can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux. This can also be abused in DNS rebinding attacks targeting a web application listening on the localhost. See more: https://crbug.com/1300021
None
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
OriginTrial desktop last | 123 |
OriginTrial desktop first | 121 |