Local Network Access · Issue #163 · WebKit/standards-positions (original) (raw)
WebKittens
Title of the spec
Local Network Access (aka Private Network Access, CORS-RFC1918)
URL to the spec
https://wicg.github.io/local-network-access
URL to the spec's repository
https://github.com/wicg/local-network-access
Issue Tracker URL
No response
Explainer URL
https://github.com/WICG/local-network-access/blob/main/explainer.md
TAG Design Review URL
Mozilla standards-positions issue URL
mozilla/standards-positions#143
WebKit Bugzilla URL
https://bugs.webkit.org/show_bug.cgi?id=250607
Radar URL
rdar://104246665
Description
Local Network Access aims to prevent CSRF attacks against insecure devices on the local network. This is achieved by deprecating direct access to private IP addresses from public websites, and instead requiring that:
- the initiator website be served over HTTPS
- the target website respond affirmatively to an augmented CORS preflight request
Note that we are working on adding a path for HTTPS initiators to bypass mixed content restrictions when talking to the local network, since HTTPS communications on the local network are difficult to set up and operate.
Previous requests for positions, from back in 2021:
- secure context restriction: https://lists.webkit.org/pipermail/webkit-dev/2021-May/031837.html, tentative interest from @youennf
- preflights: https://lists.webkit.org/pipermail/webkit-dev/2021-November/032040.html, no answer