*Note that Private Network Access is in the process of being renamed to Local Network Access, so you may see inconsistent names for the time being.*Contact emails
*p...@chromium.org <p...@chromium.org>, tito...@chromium.org <tito...@chromium.org>, v...@chromium.org <v...@chromium.org>, cl...@chromium.org <cl...@chromium.org>*Explainer *https://github.com/WICG/local-network-access/blob/main/explainer.md <https://github.com/WICG/local-network-access/blob/main/explainer.md>* Specification *https://wicg.github.io/local-network-access <https://wicg.github.io/local-network-access>*Design docs *Local Network Access: Allow Potentially Trustworthy Same-Origin Fetches <https://docs.google.com/document/d/1XopQKc6sR-2URgKqEleb-XNjcSPOjTI-E5qRxWGBuTY/edit#heading=h.y2euwddkcot>Private Network Access: Preflight requests for subresources <https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit>* Summary *Allow same-origin local network fetches to potentially-trustworthy origins and do not send preflights for them. We currently send preflights before all local network requests, but ignore the results, as proposed in Intent to Ship: Private Network Access preflight requests for subresources <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/72CK2mxD47c/m/5mkboUneAwAJ>.*Blink component *Blink>SecurityFeature>CORS>PrivateNetworkAccess <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>* Motivation *We haven’t been able to enforce the preflight results for private network requests because the compat risk is still too high. See this thread <https://groups.google.com/a/chromium.org/g/blink-dev/c/FlenxUPCDec/m/FNJ0wCmKBAAJ> for discussions about the compat risk involved.Preliminary metric data in dev and beta show that by excluding same-origin requests, we can reduce the number of ignored warnings by ~2x. Reducing the compat risk gets us closer to start enforcing the preflight results.*Initial public proposal *https://discourse.wicg.io/t/transfer-cors-rfc1918-and-hsts-priming-to-wicg/1726 <https://discourse.wicg.io/t/transfer-cors-rfc1918-and-hsts-priming-to-wicg/1726>*TAG review *https://github.com/w3ctag/design-reviews/issues/572 <https://github.com/w3ctag/design-reviews/issues/572>*TAG review status *Added an FYI comment about this change.*Risks Interoperability and Compatibility *This change reduces the compatibility risk of enforcing preflight results on private network requests as we now send fewer preflights for private network requests, so it’s less likely to break websites.Gecko: No signal about this specific change.WebKit: No signal about this specific change.Web developers: No signal about this specific change, but they should be happy since this reduces compatibility risks.Other signals:*Ergonomics *None.*Activation *We plan to ship this change directly as this relaxes the previous restrictions.*Security *This change is limited to potentially trustworthy origins. Proof of certificate protects users from DNS rebinding.*WebView application risks *There’s no plan to ship Local Network Access on WebView.*Debuggability *Relevant information (client and resource IP address space) is already piped into the DevTools network panel.*Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? *Yes*DevTrial instructions *https://github.com/WICG/private-network-access/blob/main/HOWTO.md <https://github.com/WICG/private-network-access/blob/main/HOWTO.md>*Flag name *LocalNetworkAccessAllowPotentiallyTrustworthySameOrigin*Requires code in //chrome? *Only for metric logging*Tracking bug *https://crbug.com/1382068 <https://crbug.com/1382068>*Launch bug *https://crbug.com/1274149 <https://crbug.com/1274149>*Estimated milestones *Desktop 113Android 113*Link to entry on the Chrome Platform Status *https://chromestatus.com/feature/5737414355058688 <https://chromestatus.com/feature/5737414355058688>*Links to previous Intent discussions Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOC%3DiP%2Bew8hADZkdQ3AO6P9WzfGuzLPp9JjJZqztV5oZmaK8oQ%40mail.gmail.com Intent to Ship: https://groups.google.com/a/chromium.org/g/blink-dev/c/72CK2mxD47c Intent to Deprecate and Remove: Private Network Access requests for subresources without proper preflight response: https://groups.google.com/a/chromium.org/g/blink-dev/c/FlenxUPCDec/m/FNJ0wCmKBAAJ This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABsQ2jGhBmyLYcg8t7kN8M4L1HZHX6cZSOQ_0fJyU5wcEEsTFQ%40mail.gmail.com.
