Re: NBS, PNA, Mv3 and related

[Giorgio Maone]

Hi Libor,

I believe your interpretation is correct: even though browser vendors recognize the problem, compatibility woes from authors participating to the trial are postponing and watering down the adoption of a countermeasure comparable in practical effects to JShelter's Network Boundary Shield.

In today's WECG meeting we've discussed the  DNR initiatorDomain wildcard issue, ending in an neutral position from Chrome and Safari and in an opposed "pending compelling use cases" from Firefox (probably also because they'll keep blockin webRequest so they've got a work around).

As soon as I feel a bit better (hopefully next week, I'm still struggling with my infection and high fever) I plan to use this updated information you've collected on the local network access uncertain roadmap to open and bring to discussion a similar issue requesting DNR rules keywords to tell apart WAN and LAN resources both in initiator and destination, providing both JShelter's Network Boundary Shield and NoScript's own LAN protection as "compelling use cases".

Thanks and Best,

-- G

On 25/05/23 10:39, Libor Polčák wrote:

> Hello
>       all and especially Giorgio,
>       
>       
>       I have again looked at the Local Network Access (aka private
>       network access) https://wicg.github.io/local-network-access/ and
>       its status in the browsers we support.
>       
>       
>       Chrome/Chromium-based:
>       
>       https://developer.chrome.com/blog/private-network-access-update/
>       
>       
>       It seems to me that since September 2021 (Chrome 94) HTTP pages
>       cannot access private network resources (unless they participate
>       in the deprecation trial). To this date all HTTPS pages can access
>       private network resources. Google plans to restrict HTTPS sites
>       but that is not yet deployed and no specific dates are set
> (https://developer.chrome.com/blog/private-network-access-update/#plans-for-the-future).
>       
>       An older blog post indicates that Chrome supported first steps
>       towards full LNA/PNA support
>       (https://developer.chrome.com/blog/private-network-access-preflight/).
>       The post mentions a rollback in Chrome 98 but I no longer can find
>       details. As the post actually links to the updated blog post
>       above, it seems that this post does not bring any new information
>       on LNA/PNA status/plans.
>       
>       
>       Do I interpret these posts correctly?
>       
>       
>       As the Manifest v3 extension will (likely) not be able to
>       integrate NBS that aims to mitigate the same issue, I am concerned
>       that the users would actually lose the protection as it does not
>       seem that Chromium-based browsers are going to block access to
>       private network resources from HTTPS sites.
>       
>       
>       
>       
>       Firefox:
>       
>       https://bugzilla.mozilla.org/show_bug.cgi?id=1481298
>       
>       https://github.com/mozilla/standards-positions/issues/143
>       
> https://github.com/mozilla/standards-positions/blob/main/activities.json#L1114
>       ("mozPosition": "positive")
>       
>       
>       I interpret these as Mozilla is positive to implement LNA in the
>       future, they may have experimented with the feature. But it is
>       uncertain when the feature will actually land in Firefox.
>       
>       
>       Please let me know if I miss something or interpret the
>       information incorrectly.
>       
>       
>       Thanks
>       
>       
>       Libor
>       
>

-- 
Giorgio Maone
https://maone.net