Skip to content

Commit

Permalink
Merge branch 'WICG:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
iVanlIsh authored Apr 24, 2024
2 parents 247724c + 00e824a commit 06661c6
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 12 deletions.
3 changes: 2 additions & 1 deletion explainer.md
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,8 @@ Private network requests are handled differently than others, like so:
blocked.
- Otherwise, the original request is preceded by a
[CORS pre-flight request](https://fetch.spec.whatwg.org/#cors-preflight-request).
- There are no exceptions for CORS safelisting.
- CORS safelisting checks are skipped if the CORS preflight is only sent for PNA.
(i.e. it would not have been sent without PNA)
- The pre-flight request carries an additional
`Access-Control-Request-Private-Network: true` header.
- The response must carry an additional
Expand Down
60 changes: 50 additions & 10 deletions index.src.html
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,11 @@ <h1>Private Network Access</h1>
},

"AVASTIUM": {
"href": "https://code.google.com/p/google-security-research/issues/detail?id=679",
"href": "https://bugs.chromium.org/p/project-zero/issues/detail?id=679",
"title": "Avast: A web-accessible RPC endpoint can launch 'SafeZone' (also called Avastium), a Chromium fork with critical security checks removed."
},
"TREND-MICRO": {
"href": "https://code.google.com/p/google-security-research/issues/detail?id=693",
"href": "https://bugs.chromium.org/p/project-zero/issues/detail?id=693",
"title": "TrendMicro node.js HTTP server listening on localhost can execute commands"
},

Expand Down Expand Up @@ -841,15 +841,48 @@ <h4 id="fetching">Fetching</h4>
1. If |privateNetworkAccessCheckResult| is a [=network error=], return
|privateNetworkAccessCheckResult|.

1. Define a new algorithm to <dfn>determine the preflight mode</dfn>, given a
[=request=] |request| and a boolean |makeCORSPreflight|:

1. If |makeCORSPreflight| is true and one of these conditions is true:

* There is no method cache entry match for |request|'s
[=request/method=] using |request|, and either |request|'s
[=request/method=] is not a [=CORS-safelisted method=] or
|request|'s [=request/use-CORS-preflight flag=] is set.

* There is at least one [=list/item=] in the CORS-unsafe
request-header names with |request|'s [=request/header list=] for
which there is no header-name cache entry match using |request|.

Then:

1. If |request|'s [=request/target IP address space=] is not
null, then return "cors+pna".

1. Otherwise, return "cors".

1. If |request|'s [=request/target IP address space=] is not null, then
return "pna".

1. Otherwise, return "none".

1. Define a new algorithm called <dfn>HTTP-no-service-worker fetch</dfn>
based on the existing steps in [=HTTP fetch=] that are run if |response|
is still null after handling the fetch via service workers, and amend
those slightly as follows:

1. At the very start:
1. Let |preflightMode| be the result of invoking [=determine the
preflight mode=] given |request| and |makeCORSPreflight|.

1. If |request|'s [=request/target IP address space=] is not null,
then set <var ignore>makeCORSPreflight</var> to true.
1. Replace the entire condition "If <var ignore>makeCORSPreflight</var>
is true and ..., Then:" with:

1. If |preflightMode| is not "none", then:

1. Replace "running [=CORS-preflight fetch=] given |request|" with
"running [=CORS-preflight fetch=] given |request| and
|preflightMode|"

1. Immediately after running [=CORS-preflight fetch=]:

Expand Down Expand Up @@ -878,8 +911,13 @@ <h4 id="fetching">Fetching</h4>
Note: Because |request|'s [=request/target IP address space=] is set to a
non-null value when recursing, this recursion can go at most 1 level deep.

1. The [=CORS-preflight fetch=] algorithm is adjusted to handle the
new headers:
1. The [=CORS-preflight fetch=] algorithm is adjusted to take a new parameter
|preflightMode| (default "cors"), and handle the new headers as follows:

1. Only append \``Accept`\` and
\`<a http-header>`Access-Control-Request-Headers`</a>\` to
<var ignore>preflight</var>'s [=request/header list=] if
|preflightMode| is true.

1. Immediately before running [$HTTP-network-or-cache fetch$]:

Expand All @@ -893,8 +931,10 @@ <h4 id="fetching">Fetching</h4>

1. Immediately after the [=CORS check=]:

1. If |request|'s [=request/target IP address space=] is not null,
then:
1. If |preflightMode| is "pna" or "cors+pna",

1. [=Assert=]: |request|'s [=request/target IP address space=] is
not null.

1. Let |allow| be the result of [=extracting header list values=]
given
Expand All @@ -917,7 +957,7 @@ <h4 id="fetching">Fetching</h4>
empty, let |targetId| be |request|'s [=request/target IP
address space=]. Store the permission as an ephemeral
permission, then return null.

1. Let |targetId| be the result of [=extracting header list
values=] given
"<a http-header>`Private-Network-Access-ID`</a>" and
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Private Network Access Permission to relax mixed content for non-fetch requests
# Content Security Policy for Private Network Access Permission to relax mixed content

- **Author**: lyf@google.com
- **Created**: 2023-11-24
Expand Down
3 changes: 3 additions & 0 deletions security_privacy_self_review.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ laid out.

See #41 for a discussion of these points.

Also, in the prelights we send the initiator's `Origin`. This was necessary to give servers in the private network enough information
to decide whether they should allow the requests from public.

## 2. Is this specification exposing the minimum amount of information necessary to power the feature?

Yes, apart from the above.
Expand Down

0 comments on commit 06661c6

Please sign in to comment.