Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Local Network Access #163

Closed
letitz opened this issue Apr 6, 2023 · 4 comments
Closed

Local Network Access #163

letitz opened this issue Apr 6, 2023 · 4 comments
Assignees
Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: fetch Relates to the Fetch API topic: networking venue: WHATWG Fetch Workstream venue: WICG Proposal is incubated in the Web Incubator Community Group

Comments

@letitz
Copy link

letitz commented Apr 6, 2023

WebKittens

@annevk

Title of the spec

Local Network Access (aka Private Network Access, CORS-RFC1918)

URL to the spec

https://wicg.github.io/local-network-access

URL to the spec's repository

https://github.com/wicg/local-network-access

Issue Tracker URL

No response

Explainer URL

https://github.com/WICG/local-network-access/blob/main/explainer.md

TAG Design Review URL

w3ctag/design-reviews#572

Mozilla standards-positions issue URL

mozilla/standards-positions#143

WebKit Bugzilla URL

https://bugs.webkit.org/show_bug.cgi?id=250607

Radar URL

rdar://104246665

Description

Local Network Access aims to prevent CSRF attacks against insecure devices on the local network. This is achieved by deprecating direct access to private IP addresses from public websites, and instead requiring that:

  • the initiator website be served over HTTPS
  • the target website respond affirmatively to an augmented CORS preflight request

Note that we are working on adding a path for HTTPS initiators to bypass mixed content restrictions when talking to the local network, since HTTPS communications on the local network are difficult to set up and operate.

Previous requests for positions, from back in 2021:

@gsnedders
Copy link
Member

@fred-wang
Copy link

cc @javifernandez

@gsnedders gsnedders added topic: networking venue: WICG Proposal is incubated in the Web Incubator Community Group from: Google Proposed, edited, or co-edited by Google. labels Apr 6, 2023
@hober hober moved this from Unscreened to Needs position in Standards Positions Review Backlog Apr 6, 2023
@annevk
Copy link
Contributor

annevk commented Jun 20, 2023

I've discussed this with colleagues and while we're supportive of this effort we quite strongly disagree with the latest name of the specification and nomenclature used therein as discussed in WICG/private-network-access#91. In particular we think that using "private" instead of "local" can lead to confusion. Once we get around to implementing this specification, we might also attempt to improve upon the header names as discussed in that issue.

With that caveat, I suggest we mark this as "position: support" one week from now.

@jub0bs
Copy link

jub0bs commented Oct 16, 2023

@annevk

Once we get around to implementing this specification, we might also attempt to improve upon the header names as discussed in that issue.

A disagreement between browser vendors about which header names (-Local or -Private-) to use is likely to cause difficulties for implementors of CORS middleware libraries, who would then need to support both names. Please take this into account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: fetch Relates to the Fetch API topic: networking venue: WHATWG Fetch Workstream venue: WICG Proposal is incubated in the Web Incubator Community Group
Development

No branches or pull requests

6 participants