New CORS header "Access-Control-Request-Private-Network"

[righettod]

Hi,

Add new CORS header Access-Control-Request-Private-Networkand related information flow in the section Miscellaneous.

🌎 Sources:

• https://portswigger.net/daily-swig/chrome-to-bolster-csrf-protections-with-cors-preflight-checks-on-private-network-requests
• https://developer.chrome.com/blog/private-network-access-update/
• https://wicg.github.io/private-network-access/
• https://github.com/WICG/private-network-access

💬 March 2022 update:

💬 June 2022 update:

💬 January 2023 update:

[righettod]

@riramar This is a status on January 2023 😉

Status

📍 The feature is not yet enabled by default in current release of Chrome (109) on January 2023. Indeed, according to the rollout-plan it will be enabled from version 111.

Chrome version

Test setup

💻 From a PUBLIC host to a LOCAL host:

Source

👀 https://wicg.github.io/local-network-access/#example-deny-by-default

👀 https://wicg.github.io/local-network-access/#private-network-request-heading

Using default Chrome setup

❌ No CORS-preflight request send.

❌ No header Access-Control-Request-Private-Network send.

🤔 Personally, I prefer to wait that the feature was enabled by default prior to include it into the OSHP site.

[riramar]

Totally agree with you @righettod . Let's wait to Chrome enable the feature by default.

[riramar]

Thanks for checking in details. :)

[righettod]

Thanks for checking in details. :)

It is my job as PL and, in addition, I enjoy deep diving into technical stuff to be sure to fully understand how it works 😃

[righettod]

📡 Update on 2023-05-07 (Source):

💬 Current stable release of Chrome is the 113:

[righettod]

📡 This issue give a status:

[righettod]

PR https://github.com/OWASP/www-project-secure-headers/pull/154 linked