Open Bug 1481298 (private-network-access) Opened 6 years ago Updated 1 month ago

[meta] (Local) Private Network Access


(Core :: DOM: Networking, enhancement, P5)





(Reporter: mrbkap, Unassigned)


(Depends on 1 open bug, Blocks 1 open bug, )


(Keywords: meta, Whiteboard: [necko-triaged])

Bug 1475445 was filed because there's a mochitest testing that we have an implementation of [1]. We don't seem to implement it and I can't find an existing bug on file to do so. Anne, Is this something we want to do?

Flags: needinfo?(annevk)
I'm not sure, I don't think we've really discussed it thus far. It seems reasonable, if Chrome can somehow prove it to work, but there's a lot of legacy local network hardware that'd be impacted as I understand it. Maybe mt has thoughts?
Flags: needinfo?(annevk) → needinfo?(martin.thomson)
The operating principle here is that "local" things might somehow use the fact that a client is also local to privilege that client.  That is, a server might use the fact a client is on the local network or local link to somehow authorize that client.

This is reasonable on the face of it, and the increase in complexity for fetch is minor.  However, I think that it creates the wrong incentives.  We've been very careful to tell people not to use access to a network as a signal like this.  That is, we tell people that they need to implement good access control, no matter what they assume about their network environment (if a browser is deployed to that network, imagine what else could be there!).  Implementing a feature like this would - at some level - legitimize bad practice.

We have also left bug 354493 unfixed for a very long time now (this spec is mentioned there).  The last attempt bounced four years ago.  This is a less disruptive change, but I suspect that it will still cause breakage.  mcmanus might know more.
Flags: needinfo?(martin.thomson)
See Also: → 354493
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Component: DOM: Core & HTML → DOM: Networking
Whiteboard: [necko-triaged]
Summary: Do something with CORS rfc 1918 → Do something with Private Network Access
Depends on: utility-process
Blocks: 354493
Alias: private-network-access
Blocks: 1731778
No longer depends on: utility-process
No longer blocks: 1731778
Severity: normal → S3
Alias: private-network-access → local-network-access
Keywords: meta
Summary: Do something with Private Network Access → [meta] Local Network Access
Duplicate of this bug: 1640449
Depends on: 1842593

Update: This feature is on the Necko roadmap. We will probably schedule some implementation effort in 2024.

Alias: local-network-access → private-network-access
Summary: [meta] Local Network Access → [meta] Private Network Access
Duplicate of this bug: 1870605
No longer duplicate of this bug: 1870605
Summary: [meta] Private Network Access → [meta] (Local) Private Network Access
See Also: → csrf
You need to log in before you can comment on or make changes to this bug.