> Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification.
> Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, `Access-Control-Request-Private-Network: true`, and the response to it must carry a corresponding header, `Access-Control-Allow-Private-Network: true`
> The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. These attacks have affected hundreds of thousands of users, allowing attackers to redirect them to malicious servers.
What would a browser setting to just block all PWA requests (`DENY * TO *` (to {192.168.0.1, .1.1, .100.1,}) - regardless of the appropriate new HTTP headers - actually prevent a normal user from doing?
Are there any test pages where I can see if I'm vulnerable to this? I've been assuming that uMatrix prevents this, but this post is a good reminder to double-check
Scanning the LAN through your browser is nothing new. JS-Recon from AnD Labs [0] is a tool from 2010 that could do it. I have seen eBay [1], Facebook [2], and Halifax [3] do it too, albeit for other reasons than scanning for outdated devices (fraud/loss prevention). LexisNexis' ThreatMetrix [4] is commonly used to do this.
Please note that this is a copy of a comment I made 2 years ago and I have not tested the links to see if they are still correct.
