Restrict all cross-origin requests to non-public IP addresses

[letitz]

This has come up in discussions several times, and PR #1 has outlived its usefulness as a forum for this issue.

The current version of the spec defines private network requests as requests going from public to private, or private to local address spaces. These represent kinds of privilege escalations in that websites that probably would not have access to the target IP address directly gain access by pivoting through a browser that can reach both endpoints. It makes sense to focus on this, since it solves the problem of malicious public websites attempting drive-by attacks against their visitors by poking at their private network devices.

This does not protect against private network lateral movement, where a website on private network A can poke at devices on private network B via a browser connected to both. In fact, one can make the case that all accesses to web endpoints served on non-public IP addresses should be restricted, as they all make use of the privileged position of the browser's host on the network.

We could expand the scope of the definition of private network requests to, simply: all cross-origin requests that target non-public IP addresses.

This is strictly additional work compared to the existing spec. There should be no wasted work in implementing the current version before concercing ourselves with this extension. In addition, the compatibility risk of such an extension would have to be carefully considered - one can imagine that it would break many more deployments. For that reason, I'm leaving this issue on the back-burner for a while.

[letitz]

@martinthomson makes a good point in w3ctag/design-reviews#572 (comment): restricting loopback to loopback requests might be significantly easier than restricting private to private. Something worth considering when we come back to this issue.