Proposed changes from the W3C Community Group show a drafted report this month (January 3rd, 2022) showing a two phased approach for Chrome 98 and Chrome 101 via the new W3C specification called private network access or (PNA).
Plans are now in motion to prohibit public websites from directly accessing endpoints located within private networks as part of an upcoming major security shift to prevent attack vectors via the browser.
"Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server," Titouan Rigoudy and Eiji Kitamura said. "This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true."
Basically starting with Chrome version 101 any website accessible via public internet will be forced to seek specific and explicit permissions from the browser prior to any internal network resource access. The PNA specification adds rules inside the browser prior to any internal or private network gateway access.
"The specification also extends the Cross-Origin Resource Sharing (CORS) protocol so that websites now have to explicitly request a grant from servers on private networks before being allowed to send arbitrary requests," Rigoudy noted in August 2021, when it first announced plans to deprecate access to private network endpoints from non-secure websites.
Researches state the primary goal is to safeguard users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks, which enable bad actors to reroute unsuspecting users to malicious domains.
