Due to security concerns and past abuse by malware, Google says Chrome will soon block queries and interactions between Internet sites and devices/servers within local private networks. The change will come through the implementation of a new W3C specification, known as Private Network Access (PNA), which will be available in the first half of this year.
The new PNA specification adds a mechanism within the Chrome browser by which Internet sites can ask permission from systems within the local network before establishing a connection. Google says:
Chrome will start sending CORS preflight requests, which require explicit permission from the target server, before any private network requests for subresources.
This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.
If a local device, such as a server or router fails to respond, Internet sites will be blocked from connecting. The new PNA specification is one of the most important security features to be added to the Chrome browser in recent years. Since the early 2010s, cybercriminal gangs have realized that they can use browsers as “proxies” to forward connections to a company’s internal network.
For example, a malicious website might contain code that attempts to access an IP address such as 192.168.0.1, which is typical of most router admin panels and can only be accessed from the local network. When a user visits such a malicious website, their browser can make automatic requests to their router without the user’s knowledge, sending malicious code, bypassing the router’s authentication, and modifying router settings.
Such attacks have indeed occurred before. Variations of this Internet-to-local network attack can also target other local systems such as internal servers, domain controllers, firewalls, and even locally hosted applications (via the http://localhost domain or other locally defined domains). By introducing the PNA specification and its permission negotiation system inside the Chrome browser, Google hopes to prevent this automated attack from becoming possible.
According to Google, a version of PNA is already live with Chrome 96, which will be released in November 2021, but full support will roll out in two phases this year, with the release of Chrome 98 (early March) and Chrome 101 (late May), details are as follows.
In Chrome 98
- Chrome will send preflight requests before private network subresource requests.
- Preflight failures are only displayed as warnings in DevTools and do not affect private network requests.
- Chrome collects compatibility data and reaches out to the most affected sites.
- Google expects this to be broadly compatible with existing sites.
First fully deployed in Chrome 101
- This will only start if the compatibility data shows that the change is safe enough and that we directly outreach if necessary.
- The Chrome browser enforces that the preflight request must be successful, otherwise the request will fail.
- Deprecation trials also started at the same time to allow sites affected by this phase to request an extension of time. The trial will last at least 6 months.