Local Network Access and Mixed Content specification

[jaime-rivas]

Description

Local / Private Network Access: is a security mechanism to explicitly opt-in to requests from the public internet. It allows secure websites on the public internet to make requests to internal devices and servers. There are several use cases for webapps running in a web interface to call APIs on a user’s loopback address (e.g. a webapp calling a nodejs service running in the computer).

Mixed Content specification: Blink and Gecko allow secure websites to call loopback addresses. WebKit deviate from the W3C Mixed Content specification and forbid these requests as Mixed Content. They also do not implement Private Network Access, so websites might wish to redirect clients using such browsers to a plaintext HTTP version of the website, which would still be allowed by such browsers to make requests to localhost.

It would be very positive to:

• Gecko and Webkit: implement Local Private Access to allow these requests from secure context while mitigating malicious behaviors.
• Webkit: follow the W3C Mixed Content specification

Specification

https://wicg.github.io/private-network-access/

Open Issues

Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1481298 (meta bug)

Webkit: https://bugs.webkit.org/show_bug.cgi?id=250607 (meta bug) https://bugs.webkit.org/show_bug.cgi?id=171934 (current issues with localhost) https://bugs.webkit.org/show_bug.cgi?id=250776 (current issues with localhost)

Tests

https://wpt.fyi/results/fetch/private-network-access?label=master&label=experimental&aligned

Current Implementations

• [X] Blink
• [ ] Gecko
• [ ] WebKit

Standards Positions

Blink: Implemented Gecko: Positive. https://mozilla.github.io/standards-positions/#cors-and-rfc1918 Webkit: No position

Browser bug reports

No response

Developer discussions

No response

Polls & Surveys

No response

Existing Usage

No response

Workarounds

No response

Accessibility Impact

No response

Privacy Impact

No response

Other

No response

[nairnandu]

Thank you for proposing Local Network Access and Mixed Content specification for inclusion in Interop 2024.

We wanted to let you know that this proposal was not selected to be part of Interop 2024. This is because we got many more proposals than we could include in this year's project. Note that individual vendors may nevertheless choose to advance work in this area during the forthcoming year. We would welcome this proposal being resubmitted again next year, if necessary.

For an overview of our process, see proposal selection. Thank you again for contributing to Interop 2024!

Posted on behalf of the Interop team.