johnathan79717
commented
1 year ago They should work just like public to public requests.
Open softworkz opened 1 year ago
johnathan79717
commented
1 year ago They should work just like public to public requests.
softworkz
commented
1 year ago But this is creating a weird situation!
Assuming I want to access http://192.168.1.10/iot_device_endpoint
Then - with this new mechanism - I will be able to access the above (private network) URL from a public site like https://mysite.com but not from https://localhost or not from https://privatehost.local.
So we'll be forced to serve via http instead, which wouldn't have been a problem in earlier times, but as you are cutting off all new features from http,
It can't be that a publicly served site has more access privileges in my local network than something I'm serving in my local network only...?!
softworkz
commented
1 year ago Can you please re-open?
johnathan79717
commented
1 year ago I don't understand. Why can't you access the above URL from https://localhost or https://privatehost.local? I meant the spec doesn't block any private -> private or local -> anything requests.
softworkz
commented
1 year ago johnathan79717
commented
1 year ago I see your point. Indeed, mixed content would block those requests. It is a little weird that public websites can get around mixed content but private and local can't.
softworkz
commented
1 year ago Thanks for re-opening!
With all the cloud-centric hype these days, it should not be forgotten that the most secure systems are those where no public network communication is happening or required at all, and such solutions must not be disregarded.
letitz
commented
1 year ago Thanks for the feedback! It seems to me we can just remove the assertions that the target IP address space is less public than the client's, both in the spec and in Chromium. Then https://localhost should be able to make requests that bypass mixed content, but only to the private network.
softworkz
commented
1 year ago Sounds good. I've changed the title accordingly.
How about private => local ? Will the implementation be smart enough to detect whether an IP address is a local one? Or does it just look for localhost and 127.0.0.1?
johnathan79717
commented
1 year ago How about
private => local? Will the implementation be smart enough to detect whether an IP address is a local one? Or does it just look forlocalhostand127.0.0.1?
https://wicg.github.io/private-network-access/#non-public-ip-address-blocks listed IP address ranges that are considered local.
softworkz
commented
1 year ago Yes, I've read that. But will it work?
Assuming the web site is served from the local network - let's say 192.168.1.99 (www.local) and my machine is 192.168.1.11 (mymachine.local).
So in the browser, I'm opening https://www.local. And this web app shall connect to a service on my machine.
Which of those urls would work and which won't?
(assuming the required mechanisms are implemented)
johnathan79717
commented
1 year ago According to step 4 of https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy, the first 3 are trustworthy and shouldn't be blocked as mixed content as Chrome is today.
The 4th and 5th shall be relaxed once Chrome implements what @letitz mentioned in https://github.com/WICG/private-network-access/issues/109#issuecomment-1630384393
softworkz
commented
1 year ago Excellent! I've updated the title.
Thanks
CSiggers77
commented
5 months ago I am new. Can anyone help me as far as what to do from the initial start?
johnathan79717
commented
5 months ago I am new. Can anyone help me as far as what to do from the initial start?
@CSiggers77 What do you hope to achieve?
The explainer states:
How is that supposed to work then? Is there a different mechanism?
Thanks