[LINK] New Chrome security measure aims to curtail an entire class of Web attack

[Kim Holburn]

It's about time.

https://arstechnica.com/information-technology/2022/01/new-chrome-security-measure-aims-to-curtail-an-entire-class-of-web-attack/

> For more than a decade, the Internet has remained vulnerable to a class of attacks that uses browsers as a beachhead for accessing 
> routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.
>
> Starting in Chrome version 98, the browser will begin relaying requests when public websites want to access endpoints inside the 
> private network of the person visiting the site. For the time being, requests that fail won't prevent the connections from 
> happening. Instead, they'll only be logged. Somewhere around Chrome 101—assuming the results of this trial run don't indicate 
> major parts of the Internet will be broken—it will be mandatory for public sites to have explicit permission before they can 
> access endpoints behind the browser.
>
> The planned deprecation of this access comes as Google enables a new specification known as private network access 
> <https://wicg.github.io/private-network-access/>, which permits public websites to access internal network resources only after 
> the sites have explicitly requested it and the browser grants the request. PNA communications are sent using the CORS, or 
> Cross-Origin Resource Sharing, protocol. Under the scheme, the public site sends a preflight request in the form of the new header 
> |Access-Control-Request-Private-Network: true|. For the request to be granted, the browser must respond with the corresponding 
> header |Access-Control-Allow-Private-Network: true|.
>

-- 
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:kim at holburn.net   aim://kimholburn
skype://kholburn  - PGP Public Key on request