New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 590714 link

Starred by 23 users
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Task

Blocked on: View detail
issue 591068
issue 591672
issue 591052
issue 591056
Blocking:
issue 378566



Sign in to add a comment

CORS restrictions on internet-to-intranet connections.

Project Member Reported by mkwst@chromium.org, Feb 29 2016 
(See http://www.chromium.org/blink#launch-process for an overview)

Change description:
We'll begin requiring servers on a user's machine (127.0.0.1) or intranet (as defined by RFC1918) to explicitly opt-in to connections originating from the public internet.

Changes to API surface:
Two new CORS headers, and more preflights.

Links:
Public standards discussion: https://mikewest.github.io/cors-rfc1918/

Support in other browsers:
Basically zero discussion so far.

Comment 1 by mkwst@chromium.org, Feb 29 2016

Blocking: 378566

Comment 3 by raniel...@gmail.com, Mar 15 2016 

At https://groups.google.com/a/chromium.org/d/msg/blink-dev/kX6a99C1FGw/MQSorHYwAQAJ, I see: 

# Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes. WebView will be another balancing act, as I'm sure there's significant usage of WebView inside applications that talk to themselves via a local server

I submitted an crbug that is limiting us from using https with our current chrome app: https://bugs.chromium.org/p/chromium/issues/detail?id=589150
Project Member

Comment 4 by bugdroid1@chromium.org, May 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c9f85e872f14d0e09a6677fb0703ab949e6fe123

commit c9f85e872f14d0e09a6677fb0703ab949e6fe123
Author: mkwst <mkwst@chromium.org>
Date: Fri May 06 14:05:53 2016

CORS-RFC1918: Force preflights for external requests in DocumentThreadableLoader.

This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.

This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.

BUG=590714

Review-Url: https://codereview.chromium.org/1745083002
Cr-Commit-Position: refs/heads/master@{#392048}

[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/cookies/resources/echo-json.php
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/cookies/resources/testharness-helpers.js
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-cross-site-post.html
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-cross-site.html
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-same-site-post.html
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-same-site.html
[add] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/external-to-internal-fetch.html
[add] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/external-to-internal-xhr.html
[add] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/internal-to-internal-fetch.html
[add] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/internal-to-internal-xhr.html
[add] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/resources/abe.png
[add] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/resources/preflight.js
[add] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/resources/preflight.php
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/serviceworker/chromium/sandboxed-iframe-fetch-event.html
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-expected.txt
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard-expected.txt
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/request-from-popup-expected.txt
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/request-from-popup.html
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-access-control-origin-header.cgi
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null.cgi
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow.cgi
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.h
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
[modify] https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123/third_party/WebKit/Source/platform/network/HTTPNames.in

Comment 5 by zac.spit...@gmail.com, Dec 6 2016 

The Firefox team were also working on the same problem, but ran into some problems back in 2014, perhaps a common approach between browsers can be found?

https://bugzilla.mozilla.org/show_bug.cgi?id=354493

Comment 6 by owe...@chromium.org, Sep 12 2017

Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge

Comment 7 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 8 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 9 by constant...@gmail.com, Aug 19 

On systemd linuxes, the hostname "_gateway" is available, eg.
$ ping _gateway
I wonder if sites could use it to access router this way.

Sign in to add a comment