Connections to HTTP, HTTPS or FTP servers on port 10080 will fail. This is a mitigation for the NAT Slipstream 2.0 attack. It helps developers by keeping the web platform safe for users.
Firefox and Safari are involved in the discussion to block the port, so interoperability risk is not significant. Firefox has already shipped a block. This will inescapably cause problems for developers running servers on port 10080. They will have to move to a different port. We strongly recommend using port 80 for HTTP and 443 for HTTPS to avoid the risk of future blocks.
No impact.
None needed.
This is a security improvement. The main risk is that we will have to block more ports in future.
Not needed.
Contact emails
ri...@chromium.orgExplainer
NoneSpecification
https://fetch.spec.whatwg.org/#bad-portSummary
Connections to HTTP, HTTPS or FTP servers on port 10080 will fail. This is a mitigation for the NAT Slipstream 2.0 attack. It helps developers by keeping the web platform safe for users.
Blink component
Internals>NetworkTAG review
Not needed (extension to existing block list)TAG review status
Not applicableRisks
Interoperability and Compatibility
Firefox and Safari are involved in the discussion to block the port, so interoperability risk is not significant. Firefox has already shipped a block. This will inescapably cause problems for developers running servers on port 10080. They will have to move to a different port. We strongly recommend using port 80 for HTTP and 443 for HTTPS to avoid the risk of future blocks.
Gecko: Shipped/Shipping
WebKit: No signal Minor incremental change, so not asking for official position.
Web developers: Positive (https://twitter.com/TypeSong/status/1379603571193249793)Ergonomics
No impact.
Activation
None needed.
Security
This is a security improvement. The main risk is that we will have to block more ports in future.
Debuggability
Not needed.
Is this feature fully tested by web-platform-tests?
NoFlag name
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6510270304223232This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAC_ixdy%3D-0AVmWRnwc-AfrHaHB70NvpEuM_2dpP5qVF7HkgXpg%40mail.gmail.com.
Are the Chrome Enterprise folks in the loop here?
Would be good to at least make WebKit folks aware that we're blocking this, by e.g. filing a bug and looping in the right folks on their end.
I think this was brought up before, but have we considered moving to an allow-list model?
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAC_ixdwBGuKba_L-jqHOSPPfCGQPgpmHcQsrcvBj8B5NzthbQQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9Xd5hFJ46PAL%2BvjJch1_Cd_SYyQEC9F7AouR5R004vjQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAGH7WqFyyv_uvf38Z0T6c01hVwy1V%2BuTN7bLY9%2BcR6cLGfsk%2Bw%40mail.gmail.com.