Open softworkz opened 1 year ago
Thanks for reaching out!
We are currently planning to start the origin trial on Chrome M117 (branch on Aug 8, 2023, stable release on Sep 12, 2023)
I have more questions...
Why are you imposing so much work on tens of thousands of developers in the world? Can't you find an easier way for developers to opt in? Especially the requirement for everybody needing to implement a serviceworker for intercepting image loading and the like appears to be insane...
Can you please check whether the following code is what developers are supposed to be doing to adjust fetch requests?
/* jshint module: true */
// Implementation according to
// - https://docs.google.com/document/d/1AvmBr14fBx1N1wVbuCMYJF4Oaix6ILWrt60jufoAVeI/edit
// - https://github.com/WICG/private-network-access
// - https://github.com/WICG/private-network-access/blob/master/permission_prompt/explainer.md
function getAddressSpace(host) {
try {
const octets = host.split('.').map(Number);
if (octets.length !== 4 || octets.some(octet => isNaN(octet) || octet < 0 || octet > 255)) {
return null;
}
if (octets[0] === 10) {
return 'private';
}
if (octets[0] === 172 && octets[1] >= 16 && octets[1] <= 31) {
return 'private';
}
if (octets[0] === 192 && octets[1] === 168) {
return 'private';
}
if (octets[0] === 127) {
return 'local';
}
if (octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127) {
return 'private';
}
if (octets[0] === 198 && octets[1] >= 18 && octets[1] <= 19) {
return 'local';
}
if (octets[0] === 169 && octets[1] === 254) {
return 'private';
}
return null;
} catch (e) {
console.error(e.message);
return null;
}
}
function adjustFetchOptions(url, options) {
if (!self.isSecureContext) {
return;
}
const urlObj = new URL(url);
const host = urlObj.hostname;
const protocol = urlObj.protocol;
if (protocol !== 'http:') {
return false;
}
const addressSpace = getAddressSpace(host);
if (!addressSpace) {
return;
}
options.targetAddressSpace = addressSpace;
}
export default { adjustFetchOptions: adjustFetchOptions };
targetAddressSpace
is generally for people using URLs, other than literal IP address hosts, to reaching private network. In that case, the browser won't be able to know the IP address when placing mixed-content check which happens before the socket has been established.
We might want to take special treatment for IP address hosts and automatically apply targetAddressSpace
in the future.
Noted that we are restricting the websites which trying to talk to private network with secure context. It is not true only if the website has joined the deprecation trial. We would like to close the deprecation trial after this permission prompt proposal launched.
Thanks a lot for getting back!
targetAddressSpace
is generally for people using URLs, other than literal IP address hosts, to reaching private network. In that case, the browser won't be able to know the IP address when placing mixed-content check which happens before the socket has been established.
Ah - private DNS, understood - that was the missing bit.
We might want to take special treatment for IP address hosts and automatically apply
targetAddressSpace
in the future.
That would make a lot of sense because in case of numeric/IP hosts, all developers would need to include that same code like above unnecessarily.
Same reason with regards to the idea of requiring everybody to implement a serviceworker for the sole purpose of adding that fetch() option.
Would it be possible to find an easier (integrated/automatic) method for cases like image loading?
Noted that we are restricting the websites which trying to talk to private network with secure context. It is not true only if the website has joined the [deprecation trial].
Could you please clarify the "It is not true only if..." sentence?
For context: Yes, we have joined the deprecation trial. It allows us to continue doing the following:
public http
=> private http
public http
=> public http
What's not working right now (no matter with or without deprecation trial) is:
public https
=> private http
But C is supposed to work in the future as a replacement for A and A won't be working anymore, when the deprecation trial ends.
Everything correct so far?
I assume, B will stop working either, can you confirm?
Yes, C is supposed to work ad a replacement for A.
We have no current plan to stop B. It is at least out of scope of Private Network Access context.
FYI, the permission prompt Origin Trial has started since M120: https://developer.chrome.com/origintrials/#/view_trial/1367968386813788161
Thanks for the update. We'll jump in the origin trial once 120 is ga and report back.
FYI, the permission prompt Origin Trial has started since M120: developer.chrome.com/origintrials/#/view_trial/1367968386813788161
Hi @iVanlIsh, I have a few questions:
Thank you very much
Is it supposed to work already?
I precisely followed the instructions here: https://docs.google.com/document/d/1AvmBr14fBx1N1wVbuCMYJF4Oaix6ILWrt60jufoAVeI/edit
But I see no preflight request. It's being blocked as mixed content right away (Chrome 114).