February 17, 2024 at 10:56AM
Google is testing a new feature to prevent malicious websites from attacking devices and services on a user’s internal, private networks through their browser. The proposed “Private Network Access protections” in Chrome 123 will conduct checks before directing a browser to visit sites within the user’s private network, aiming to shield users from potential threats.
Here are the key takeaways from the meeting notes:
1. Google is testing a new feature called “Private Network Access protections” in Chrome 123 to prevent malicious public websites from attacking devices and services on internal, private networks.
2. The feature conducts checks before a public website directs a browser to visit another site within the user’s private network, aiming to shield users’ private networks from potential threats.
3. When the browser detects that a public site attempts to connect to an internal device, it will send a preflight request to the device first. If there is no response, the connection will be blocked. However, if the internal device responds, it can tell the browser whether the request should be allowed using an ‘Access-Control-Request-Private-Network’ header.
4. In the warning stage, even if the checks fail, the feature won’t block the requests. Instead, developers will see a warning in the DevTools console, giving them time to adjust before stricter enforcement begins.
5. If a request is blocked, an automatic reload by the browser will allow the request to go through, as it would be seen as an internal => internal connection. To prevent this, Google proposes to block auto-reloading of a page if the Private Network Access feature previously blocked it.
6. The primary motivation behind this development is to prevent malicious websites from exploiting flaws on devices and servers in users’ internal networks, which were presumed safe from internet-based threats.
7. The development aims to protect against unauthorized access to users’ routers and software interfaces running on local devices.
8. Google started exploring this idea in 2021 to prevent external websites from making harmful requests to resources within the private network, with a focus on mitigating risks from “SOHO Pharming” attacks and CSRF vulnerabilities.
Please let me know if there’s anything else you need help with!