Google Chrome has announced plans to ban public websites from direct access to endpoints located in private networks, as part of a major upcoming security overhaul to prevent intrusions through the browser.
The proposed changes will be rolled out in two phases, including plans to release Chrome 98 and Chrome 101 in the coming months through a newly implemented W3C specification called Private Network Access (PNA).
“Chrome will start sending CORS Make a preflight request before any private network request to a subresource that requires explicit permission from the target server,” Titouan Rigoudy and Eiji Kitamura Say“This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and responses to it must carry the corresponding header, Access-Control-Allow-Private-Network: true. “
This means that, starting with Chrome version 101, any website accessed over the Internet must ask the browser’s explicit permission before accessing internal network resources. In other words, the new PNA specification adds a provision in browsers by which a website can request a server behind a local network to get a connection.
“The specification also extends the Cross-Origin Resource Sharing (CORS) protocol, so websites must now explicitly request authorization from servers on private networks before being allowed to send arbitrary requests,” Rigoudy famous In August 2021, Google first announced plans to deprecate access to private network endpoints from non-secure websites.
The goal, the researchers said, is to protect users from cross-site request forgery (CSRF) attack for routers and other devices on private networks, which enables bad actors to reroute unsuspecting users to malicious domains.
