Current State of Permission Prompt?

[softworkz]

Is it supposed to work already?

I precisely followed the instructions here: https://docs.google.com/document/d/1AvmBr14fBx1N1wVbuCMYJF4Oaix6ILWrt60jufoAVeI/edit

But I see no preflight request. It's being blocked as mixed content right away (Chrome 114).

[iVanlIsh]

Thanks for reaching out!

We are currently planning to start the origin trial on Chrome M117 (branch on Aug 8, 2023, stable release on Sep 12, 2023)

[softworkz]

I have more questions...

Why are you imposing so much work on tens of thousands of developers in the world? Can't you find an easier way for developers to opt in? Especially the requirement for everybody needing to implement a serviceworker for intercepting image loading and the like appears to be insane...

Can you please check whether the following code is what developers are supposed to be doing to adjust fetch requests?

/* jshint module: true */

// Implementation according to
// - https://docs.google.com/document/d/1AvmBr14fBx1N1wVbuCMYJF4Oaix6ILWrt60jufoAVeI/edit
// - https://github.com/WICG/private-network-access
// - https://github.com/WICG/private-network-access/blob/master/permission_prompt/explainer.md

function getAddressSpace(host) {

    try {

        const octets = host.split('.').map(Number);

        if (octets.length !== 4 || octets.some(octet => isNaN(octet) || octet < 0 || octet > 255)) {
            return null;
        }

        if (octets[0] === 10) {
            return 'private';
        }

        if (octets[0] === 172 && octets[1] >= 16 && octets[1] <= 31) {
            return 'private';
        }

        if (octets[0] === 192 && octets[1] === 168) {
            return 'private';
        }

        if (octets[0] === 127) {
            return 'local';
        }

        if (octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127) {
            return 'private';
        }

        if (octets[0] === 198 && octets[1] >= 18 && octets[1] <= 19) {
            return 'local';
        }

        if (octets[0] === 169 && octets[1] === 254) {
            return 'private';
        }

        return null;

    } catch (e) {
        console.error(e.message);
        return null;
    }
}

function adjustFetchOptions(url, options) {

    if (!self.isSecureContext) {
        return;
    }

    const urlObj = new URL(url);
    const host = urlObj.hostname;
    const protocol = urlObj.protocol;

    if (protocol !== 'http:') {
        return false;
    }

    const addressSpace = getAddressSpace(host);
    if (!addressSpace) {
        return;
    }

    options.targetAddressSpace = addressSpace;
}

export default { adjustFetchOptions: adjustFetchOptions };

[iVanlIsh]

targetAddressSpace is generally for people using URLs, other than literal IP address hosts, to reaching private network. In that case, the browser won't be able to know the IP address when placing mixed-content check which happens before the socket has been established.

We might want to take special treatment for IP address hosts and automatically apply targetAddressSpace in the future.

Noted that we are restricting the websites which trying to talk to private network with secure context. It is not true only if the website has joined the deprecation trial. We would like to close the deprecation trial after this permission prompt proposal launched.

[softworkz]

Thanks a lot for getting back!

targetAddressSpace is generally for people using URLs, other than literal IP address hosts, to reaching private network. In that case, the browser won't be able to know the IP address when placing mixed-content check which happens before the socket has been established.

Ah - private DNS, understood - that was the missing bit.

We might want to take special treatment for IP address hosts and automatically apply targetAddressSpace in the future.

That would make a lot of sense because in case of numeric/IP hosts, all developers would need to include that same code like above unnecessarily.

Same reason with regards to the idea of requiring everybody to implement a serviceworker for the sole purpose of adding that fetch() option.

Would it be possible to find an easier (integrated/automatic) method for cases like image loading?

Noted that we are restricting the websites which trying to talk to private network with secure context. It is not true only if the website has joined the [deprecation trial].

Could you please clarify the "It is not true only if..." sentence?

For context: Yes, we have joined the deprecation trial. It allows us to continue doing the following:

• A: public http => private http
• B: public http => public http

What's not working right now (no matter with or without deprecation trial) is:

• C: public https => private http

But C is supposed to work in the future as a replacement for A and A won't be working anymore, when the deprecation trial ends.

Everything correct so far?

I assume, B will stop working either, can you confirm?

[iVanlIsh]

Yes, C is supposed to work ad a replacement for A.

We have no current plan to stop B. It is at least out of scope of Private Network Access context.

FYI, the permission prompt Origin Trial has started since M120: https://developer.chrome.com/origintrials/#/view_trial/1367968386813788161

[softworkz]

Thanks for the update. We'll jump in the origin trial once 120 is ga and report back.

[softworkz]

FYI, the permission prompt Origin Trial has started since M120: developer.chrome.com/origintrials/#/view_trial/1367968386813788161

Hi @iVanlIsh, I have a few questions:

• Is there a command line switch for local testing?
• Is there also one for the main original trial (to compare behavior)?
• Is there an updated implementation document (like the one I referenced in the first post?
• Do you know whether it's also in Edge 120?

Thank you very much