Google is currently testing a new feature aimed at protecting users on private networks from attacks originating from malicious public websites. This feature, called "Private network access checks for navigation requests," will be available in the upcoming Google Chrome 123 browser, initally in a "warning only" mode.
Private network access checks for navigation requests in Chrome
The feature will scan public sites and any redirects from them, checking if the redirect resource allows access from a public website through CORS-preflight requests. An example provided by Google demonstrates how an HTML iframe on a public website could potentially perform a CSRF attack to change the DNS configuration of a visitor's router on their local network.
<iframe href="https://admin:admin@router.local/set_dns?server1=123.123.123.123"> </iframe>
If the browser detects that a public site is attempting to connect to an internal device, it will block the connection by sending a preliminary request. This block can be resolved using the “Access-Control-Request-Private-Network” header.
Initial version of the feature
During the warning stage, the feature will not automatically block requests, but instead, developers will see a warning in the DevTools console indicating that the verification failed. Google advises against automatically reloading the browser, as this could allow the request to go through even after being blocked. To prevent this, the company suggests blocking page auto-reload. This will prompt an error message instructing users to manually reload the page to resolve the request.
You can learn more here.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: