Add private network access #2466
Conversation
github-actions
bot
added
the
feature definition
features/private-network-access.yml
Outdated
| @@ -0,0 +1,7 @@ | |||
| name: Private Network Access | |||
| description: The Private Network Access feature is a set of modifications to Fetch and HTML which are intended to mitigate the risks associated with unintentional exposure of devices and servers on a client’s internal network to the web at large. | |||
There was a problem hiding this comment.
| description: The Private Network Access feature is a set of modifications to Fetch and HTML which are intended to mitigate the risks associated with unintentional exposure of devices and servers on a client’s internal network to the web at large. | |
| description: Private Network Access modifies Fetch and HTML to mitigate the risks associated with unintentional exposure of devices and servers on a client’s internal network to the web at large. |
There was a problem hiding this comment.
The description talks about modifying other features. It's not clear how this is a feature to developers. I had a skim through the spec, so I don't really understand this thing, but I suspect we want to say something more in this direction:
| description: The Private Network Access feature is a set of modifications to Fetch and HTML which are intended to mitigate the risks associated with unintentional exposure of devices and servers on a client’s internal network to the web at large. | |
| description: The `Access-Control-Request-Private-Network: true` and `Access-Control-Allow-Private-Network: true` HTTP request and response headers establish permission for websites to make requests to internal networks, such as to routers. |
Curiously, BCD doesn't appear to represent the request header. If we went this route, we probably ought to file a bug on BCD reporting it as missing.
There was a problem hiding this comment.
It's not clear how this is a feature to developers.
Yeah, it's complicated. Think about it this way:
- developers could make requests to the local network since forever
- now that's being removed
- PNA is the new way to safely do it
The "What's new" section here lays out the "feature" part:
https://developer.chrome.com/blog/private-network-access-preflight
Your edit makes this much more clearly a feature than the "mitigation" wording, thanks!
There was a problem hiding this comment.
There was a problem hiding this comment.
Committed this change, which maybe is enough until BCD is sorted.
There was a problem hiding this comment.
Or we could leave this open and blocked until then.
There was a problem hiding this comment.
As long as the Request.targetAddressSpace property is representative of browser support for this (which it appears to be, at least for now) we don't have to block on the missing keys. Let's go with this.
Co-authored-by: Daniel D. Beck <daniel@ddbeck.com>
Seems clearly referred to as a standalone feature in developer conversations, but also there's not much there there in BCD yet around it.
NOTE: see mdn/browser-compat-data#25467