Starting in March 2022, Google Chrome will start supporting the new Private Network Access standard which will help protect local network devices from malicious internet traffic.
Private Network Access, or PNA, will prevent malicious websites from using the victim’s browser as a proxy to relay cross-site request forgery attempts to devices on the user’s local network. (For examples of this kind of attack, take a look at SOHO Pharming or Trend Micro local host). The PNA standard extends the Cross-Origin Resource Sharing (CORS) protocol such that a website must request permission from servers on private networks before being allowed to send them a request.
A Private Network Request is one where the target server’s IP address is more private than the server making the request. For example a request from a server on the public web (myserver.com) to a server on the local network (myrouter.local) or indeed a request from a server on the local network to the localhost.
The PNA standard requires a pre-flight authorisation request to be sent to the target server which must be acknowledged before the browser will allow actual request to be made. The standard is designed to be secure by default such that if the targeted server does not understand the pre-flight request or ignores it, the cross-site request will be blocked by the browser.
Google Chrome plans to start rolling out PNA support for testing in Chrome 98 during March 2022. While in testing mode the pre-flight CORS requests will be sent and the responses logged to DevTools but the requests will always proceed regardless of the response. This will give developers a chance to spot any potential problems and make the necessary changes to systems that do make legitimate cross-site requests.
From Chrome 101 at the earliest (due May 2022) enforcement of the PNA standard will start and any requests which fail the CORS pre-flight checks will be blocked by the browser.
The Google Chrome team has published a detailed guide to the new features on their blog.
