Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local Network Access #163

Closed
letitz opened this issue Apr 6, 2023 · 4 comments
Closed

Local Network Access #163

letitz opened this issue Apr 6, 2023 · 4 comments
Assignees
@johnwilander @annevk
Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: fetch Relates to the Fetch API topic: networking venue: WHATWG Fetch Workstream venue: WICG Proposal is incubated in the Web Incubator Community Group

Comments

@letitz
Copy link

letitz commented Apr 6, 2023
edited by annevk
Loading

WebKittens

@annevk

Title of the spec

Local Network Access (aka Private Network Access, CORS-RFC1918)

URL to the spec

https://wicg.github.io/local-network-access

URL to the spec's repository

https://github.com/wicg/local-network-access

Issue Tracker URL

No response

Explainer URL

https://github.com/WICG/local-network-access/blob/main/explainer.md

TAG Design Review URL

w3ctag/design-reviews#572

Mozilla standards-positions issue URL

mozilla/standards-positions#143

WebKit Bugzilla URL

https://bugs.webkit.org/show_bug.cgi?id=250607

Radar URL

rdar://104246665

Description

Local Network Access aims to prevent CSRF attacks against insecure devices on the local network. This is achieved by deprecating direct access to private IP addresses from public websites, and instead requiring that:

  • the initiator website be served over HTTPS
  • the target website respond affirmatively to an augmented CORS preflight request

Note that we are working on adding a path for HTTPS initiators to bypass mixed content restrictions when talking to the local network, since HTTPS communications on the local network are difficult to set up and operate.

Previous requests for positions, from back in 2021:
@gsnedders
Copy link
Member

cc @rreno @johnwilander @aproskuryakov @fred-wang

@fred-wang
Copy link

cc @javifernandez

@gsnedders gsnedders added topic: networking venue: WICG Proposal is incubated in the Web Incubator Community Group from: Google Proposed, edited, or co-edited by Google. labels Apr 6, 2023
@hober hober moved this from Unscreened to Needs position in Standards Positions Review Backlog Apr 6, 2023
@letitz letitz mentioned this issue May 26, 2023
Merged
@annevk
Copy link
Contributor

annevk commented Jun 20, 2023

I've discussed this with colleagues and while we're supportive of this effort we quite strongly disagree with the latest name of the specification and nomenclature used therein as discussed in WICG/private-network-access#91. In particular we think that using "private" instead of "local" can lead to confusion. Once we get around to implementing this specification, we might also attempt to improve upon the header names as discussed in that issue.

With that caveat, I suggest we mark this as "position: support" one week from now.

@annevk annevk closed this as completed Jun 30, 2023
@github-project-automation github-project-automation bot moved this from Needs position to Done in Standards Positions Review Backlog Jun 30, 2023
@danielcompton danielcompton mentioned this issue Oct 15, 2023
Open
@jub0bs
Copy link

jub0bs commented Oct 16, 2023

@annevk

Once we get around to implementing this specification, we might also attempt to improve upon the header names as discussed in that issue.

A disagreement between browser vendors about which header names (-Local or -Private-) to use is likely to cause difficulties for implementors of CORS middleware libraries, who would then need to support both names. Please take this into account.

@annevk annevk mentioned this issue Nov 14, 2023
Closed
@Fdawgs Fdawgs mentioned this issue Nov 14, 2023
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnwilander johnwilander

@annevk annevk

Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: fetch Relates to the Fetch API topic: networking venue: WHATWG Fetch Workstream venue: WICG Proposal is incubated in the Web Incubator Community Group
Projects
Standards Positions Review Backlog
Status: Done
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gsnedders @fred-wang @johnwilander @annevk @letitz @jub0bs