Intent to Experiment: Private Network Access permission to relax mixed content

254 views
Skip to first unread message

Yifan Luo

unread,
Oct 20, 2023, 9:50:22 AM10/20/23
to gle...@chromium.org, Jonathan Hao, Camille Lamy

Contact emails

l...@chromium.orgcl...@chromium.org

Explainer

https://github.com/iVanlIsh/private-network-access/blob/main/explainer.md

Specification

https://wicg.github.io/private-network-access

Design docs

https://docs.google.com/document/d/1Q18g4fZoDIYQ9IuxlZTaItgkzfiz_tCqaEAI8J3Y1WY/edit

Summary

In order to establish connections to devices on a local network that do not have globally unique names, and therefore cannot obtain TLS certificates, this feature introduces a new option to `fetch()` to declare a developers' intent to talk to such a device, a new policy-controlled feature to gate each sites' access to this capability, and new headers for the server's preflight response to provide additional metadata.



Blink component

Blink>SecurityFeature>CORS>PrivateNetworkAccess

TAG review

https://github.com/w3ctag/design-reviews/issues/751

TAG review status

Issues addressed

Risks



Interoperability and Compatibility



Gecko: No signal

WebKit: No signal

Web developers: Positive (https://github.com/WICG/private-network-access/issues/23)

Other signals:

Ergonomics

This new feature requires users to click on the new permission. This may lead users to spamming on some websites. However, this is an intentional move to encourage the websites to provide security context. The origin trial also aimed to measure the frequency of users getting the permissions.



Activation

No. This feature attempt to bring developers an easier way to restrict Private Network Access with secure context.



Security

This is a security positive feature.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Goals for experimentation



Ongoing technical constraints

None.



Debuggability

Relevant information (client and resource IP address space) is already piped into the DevTools network panel. We’ll likely also represent the permission state in the settings pages.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No

Mac, Windows, Linux, Chrome OS, Fuchsia, Android, WebLayer. Not Android WebView because of the absence of deprecation trial integration (though that may be changing soon, see https://crbug.com/1308425). Not iOS because this requires changes in Blink and the network service, neither of which are used on iOS.



Is this feature fully tested by web-platform-tests?

No

https://wpt.fyi/results/fetch/private-network-access/mixed-content-fetch.tentative.https.window.html?label=master&label=experimental&aligned&q=private-network-access



Flag name on chrome://flags



Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

True

Tracking bug

https://crbug.com/1338439

Estimated milestones

OriginTrial desktop last123
OriginTrial desktop first120


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5954091755241472

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/6MczoSFGiHo/m/IigYuhu7AwAJ

This intent message was generated by Chrome Platform Status.

--
Yifan

Mike Taylor

unread,
Oct 23, 2023, 7:36:32 PM10/23/23
to Yifan Luo, Jonathan Hao, Camille Lamy, gle...@chromium.org

Hi Yifan,

Could you please request Privacy, Security, and Debuggability reviews in the chromestatus entry?

thanks,
Mike

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU_ZS1ibT9H7e5UmoUF2OfCUq5ocsDHaCoJ2rShmPmAejQ%40mail.gmail.com.

Yifan Luo

unread,
Oct 24, 2023, 3:47:38 AM10/24/23
to blink-dev, blink-dev, blink-dev, Camille Lamy, gle...@chromium.org, blink-dev
Hello Mike,

Sure and done.

Yifan

Mike Taylor

unread,
Oct 24, 2023, 7:50:45 AM10/24/23
to Yifan Luo, blink-dev, blink-dev, Camille Lamy

Thanks - LGTM to experiment from 120 to 123 inclusive.

Reply all
Reply to author
Forward
0 new messages