Chrome will limit access to private networks, citing security reasons

silversurfer

Level 85
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,719
Google says that its Chrome browser will soon block internet websites from querying and interacting with devices and servers located inside local private networks, citing security reasons and past abuse from malware operations.

The change will take place through the implementation of a new W3C specification called Private Network Access (PNA) that will be rolled out in the first half of the year.
The new PNA specification adds a mechanism inside the Chrome browser through which internet sites can ask systems inside local networks for permission before establishing a connection.

Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.
Eiji Kitamura and Titouan Rigoudy, Google
According to Google, a version of PNA has already been shipped with Chrome 96, released in November 2021, but full support will be rolled out in two phases this year, with the Chrome 98 (early March) and Chrome 101 (late May) releases, as detailed below:
  1. In Chrome 98:
  • Chrome sends preflight requests ahead of private network subresource requests.
  • Preflight failures only display warnings in DevTools, without otherwise affecting the private network requests.
  • Chrome gathers compatibility data and reaches out to the largest affected websites.
  • We expect this to be broadly compatible with existing websites.
  1. In Chrome 101 at the earliest:
  • This will begin only if and when compatibility data indicates that the change is safe enough and we’ve outreached directly when necessary.
  • Chrome enforces that preflight requests must succeed, otherwise failing the requests.
  • A deprecation trial starts at the same time to allow for websites affected by this phase to request a time extension. The trial will last for at least 6 months.