Hi Libor,
I believe your interpretation is
correct: even though browser vendors recognize the problem,
compatibility woes from authors participating to the trial are
postponing and watering down the adoption of a countermeasure
comparable in practical effects to JShelter's Network Boundary
Shield.
In today's WECG meeting we've
discussed the
DNR
initiatorDomain wildcard issue, ending in an neutral
position from Chrome and Safari and in an opposed "pending
compelling use cases" from Firefox (probably also because
they'll keep blockin webRequest so they've got a work around).
As soon as I feel a bit better
(hopefully next week, I'm still struggling with my infection and
high fever) I plan to use this updated information you've
collected on the local network access uncertain roadmap to open
and bring to discussion a similar issue requesting DNR rules
keywords to tell apart WAN and LAN resources both in initiator
and destination, providing both JShelter's Network Boundary
Shield and NoScript's own LAN protection as "compelling use
cases".
Thanks and Best,
-- G
On 25/05/23 10:39, Libor Polčák
wrote:
Hello
all and especially Giorgio,
I have again looked at the Local Network Access (aka private
network access) https://wicg.github.io/local-network-access/
and its status in the browsers we support.
Chrome/Chromium-based:
https://developer.chrome.com/blog/private-network-access-update/
It seems to me that since September 2021 (Chrome 94) HTTP pages
cannot access private network resources (unless they participate
in the deprecation trial). To this date all HTTPS pages can
access private network resources. Google plans to restrict HTTPS
sites but that is not yet deployed and no specific dates are set
(https://developer.chrome.com/blog/private-network-access-update/#plans-for-the-future).
An older blog post indicates that Chrome supported first steps
towards full LNA/PNA support (https://developer.chrome.com/blog/private-network-access-preflight/).
The post mentions a rollback in Chrome 98 but I no longer can
find details. As the post actually links to the updated blog
post above, it seems that this post does not bring any new
information on LNA/PNA status/plans.
Do I interpret these posts correctly?
As the Manifest v3 extension will (likely) not be able to
integrate NBS that aims to mitigate the same issue, I am
concerned that the users would actually lose the protection as
it does not seem that Chromium-based browsers are going to block
access to private network resources from HTTPS sites.
Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=1481298
https://github.com/mozilla/standards-positions/issues/143
https://github.com/mozilla/standards-positions/blob/main/activities.json#L1114
("mozPosition": "positive")
I interpret these as Mozilla is positive to implement LNA in the
future, they may have experimented with the feature. But it is
uncertain when the feature will actually land in Firefox.
Please let me know if I miss something or interpret the
information incorrectly.
Thanks
Libor
--
Giorgio Maone
https://maone.net