js-shield
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NBS, PNA, Mv3 and related


From: Giorgio Maone
Subject: Re: NBS, PNA, Mv3 and related
Date: Thu, 25 May 2023 18:58:00 +0200
User-agent: None of Your Business 1.0

Hi Libor,

I believe your interpretation is correct: even though browser vendors recognize the problem, compatibility woes from authors participating to the trial are postponing and watering down the adoption of a countermeasure comparable in practical effects to JShelter's Network Boundary Shield.

In today's WECG meeting we've discussed the  DNR initiatorDomain wildcard issue, ending in an neutral position from Chrome and Safari and in an opposed "pending compelling use cases" from Firefox (probably also because they'll keep blockin webRequest so they've got a work around).

As soon as I feel a bit better (hopefully next week, I'm still struggling with my infection and high fever) I plan to use this updated information you've collected on the local network access uncertain roadmap to open and bring to discussion a similar issue requesting DNR rules keywords to tell apart WAN and LAN resources both in initiator and destination, providing both JShelter's Network Boundary Shield and NoScript's own LAN protection as "compelling use cases".

Thanks and Best,
-- G


On 25/05/23 10:39, Libor Polčák wrote:
Hello all and especially Giorgio,

I have again looked at the Local Network Access (aka private network access) https://wicg.github.io/local-network-access/ and its status in the browsers we support.

Chrome/Chromium-based:
https://developer.chrome.com/blog/private-network-access-update/

It seems to me that since September 2021 (Chrome 94) HTTP pages cannot access private network resources (unless they participate in the deprecation trial). To this date all HTTPS pages can access private network resources. Google plans to restrict HTTPS sites but that is not yet deployed and no specific dates are set (https://developer.chrome.com/blog/private-network-access-update/#plans-for-the-future).

An older blog post indicates that Chrome supported first steps towards full LNA/PNA support (https://developer.chrome.com/blog/private-network-access-preflight/). The post mentions a rollback in Chrome 98 but I no longer can find details. As the post actually links to the updated blog post above, it seems that this post does not bring any new information on LNA/PNA status/plans.

Do I interpret these posts correctly?

As the Manifest v3 extension will (likely) not be able to integrate NBS that aims to mitigate the same issue, I am concerned that the users would actually lose the protection as it does not seem that Chromium-based browsers are going to block access to private network resources from HTTPS sites.



Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=1481298
https://github.com/mozilla/standards-positions/issues/143
https://github.com/mozilla/standards-positions/blob/main/activities.json#L1114 ("mozPosition": "positive")

I interpret these as Mozilla is positive to implement LNA in the future, they may have experimented with the feature. But it is uncertain when the feature will actually land in Firefox.

Please let me know if I miss something or interpret the information incorrectly.

Thanks

Libor


-- 
Giorgio Maone
https://maone.net

reply via email to

[Prev in Thread] Current Thread [Next in Thread]