Reputation: 1
Google Chrome - Ensure private network requests are only made to resources that allow them
I need your help clarifying some things related to the Chrome update, Private Network Access, and Preflight requests.
I have an ASP.NET web application and C# Windows Service (with a web server) running on a local host. Communication between these two apps is organized via the Signal R library.
In the Chrome 127.xxxx in DevTools console I started receiving notification:
Ensure private network requests are only made to resources that allow them
A site requested a resource from a network that it could only access because of its users' privileged network position. These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage. To mitigate these risks, a future version of Chrome will require non-public subresources to opt-into being accessed with a preflight request. To fix this issue, ensure that response to the preflight request for the private network resource has the Access-Control-Allow-Private-Network header set to true. Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites. The same text by link: https://chromium.googlesource.com/devtools/devtools-frontend/+/9149c7abd583c45cf0df83bf445c5b0ae7fa65b9/front_end/models/issues_manager/descriptions/corsInsecurePrivateNetworkPreflight.md
As I understand the correct solution is to support new header on web server side. It is clear. But my question about second approach - to disable this restriction using InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
What is meant temporarily disable? Where I can find information on what these policies stop working in future?
Also, will Chrome 130 block all request for insecure private network or it will be only warning mode as described here? https://chromestatus.com/feature/4869685172764672
I tried to research in Google, but did not found final confirmation for my questions
Upvotes: 0
Views: 192
Answers (0)
Related Questions
- Private Network Access problem w/ disabled web security: Request had no target IP address space, yet the resource is in address space local
- What is the motivation behind the introduction of preflight CORS requests?
- Spring CORS Filter for Access-Control-Allow-Private-Network not working
- Access-Control-Request-Private-Network header issues
- Flask, add Access-Control-Allow-Private-Network true to CORS preflight
- Deprecation - The website requested a subresource from a network that it could only access because of its users' privileged network position
- Chrome future update Restrict "private network requests". Will it affect scanning hardware on devices that make local connections?