You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This has come up in discussions several times, and PR #1 has outlived its usefulness as a forum for this issue.
The current version of the spec defines private network requests as requests going from public to private, or private to local address spaces. These represent kinds of privilege escalations in that websites that probably would not have access to the target IP address directly gain access by pivoting through a browser that can reach both endpoints. It makes sense to focus on this, since it solves the problem of malicious public websites attempting drive-by attacks against their visitors by poking at their private network devices.
This does not protect against private network lateral movement, where a website on private network A can poke at devices on private network B via a browser connected to both. In fact, one can make the case that all accesses to web endpoints served on non-public IP addresses should be restricted, as they all make use of the privileged position of the browser's host on the network.
We could expand the scope of the definition of private network requests to, simply: all cross-origin requests that target non-public IP addresses.
This is strictly additional work compared to the existing spec. There should be no wasted work in implementing the current version before concercing ourselves with this extension. In addition, the compatibility risk of such an extension would have to be carefully considered - one can imagine that it would break many more deployments. For that reason, I'm leaving this issue on the back-burner for a while.
The text was updated successfully, but these errors were encountered:
@martinthomson makes a good point in w3ctag/design-reviews#572 (comment): restricting loopback to loopback requests might be significantly easier than restricting private to private. Something worth considering when we come back to this issue.
This has come up in discussions several times, and PR #1 has outlived its usefulness as a forum for this issue.
The current version of the spec defines private network requests as requests going from
public
toprivate
, orprivate
tolocal
address spaces. These represent kinds of privilege escalations in that websites that probably would not have access to the target IP address directly gain access by pivoting through a browser that can reach both endpoints. It makes sense to focus on this, since it solves the problem of malicious public websites attempting drive-by attacks against their visitors by poking at their private network devices.This does not protect against private network lateral movement, where a website on private network A can poke at devices on private network B via a browser connected to both. In fact, one can make the case that all accesses to web endpoints served on non-public IP addresses should be restricted, as they all make use of the privileged position of the browser's host on the network.
We could expand the scope of the definition of private network requests to, simply: all cross-origin requests that target non-public IP addresses.
This is strictly additional work compared to the existing spec. There should be no wasted work in implementing the current version before concercing ourselves with this extension. In addition, the compatibility risk of such an extension would have to be carefully considered - one can imagine that it would break many more deployments. For that reason, I'm leaving this issue on the back-burner for a while.
The text was updated successfully, but these errors were encountered: