Google will gradually roll out this feature to give developers time to adapt.
Google is developing a new feature aimed at protecting devices and services in private networks from attacks by malicious sites on the Internet. This innovation will help prevent the possibility of attacks on devices such as printers or routers that are located in users ' homes. Although these devices are not directly connected to the Internet, they are usually considered secure because they are located behind a router.
The main task of the new feature, called "Private Network Access Protection", is to perform checks before a public site redirects the user's browser to another site inside their private network. These checks include verifying the security of the original request and sending a preliminary request to check whether access to the target site (for example, to the HTTP server running on the local address or to the web panel of the router) is allowed from the public site through specific requests called CORS-preflight.
As an example, Google cites a case when a malicious site tries to change the DNS configuration of a user's router through a CSRF attack using an HTML iframe.
Based on the new security measures, when the browser notices an attempt by a public site to connect to a device on the local network, it initiates sending a preliminary request to this device. If there is no response, the connection is automatically blocked, preventing a potential threat. However, if the device responds to the request, it can inform the browser about the validity of the requested action using the "Access-Control-Request-Private-Network" header, thereby controlling access from the external network. This provides an additional layer of protection for devices inside a private network, increasing their security in the face of external attacks.
At the initial stage, even if the checks are not passed, the function will not block requests, and developers will see a warning in the DevTools console, which will give them time to adapt before introducing stricter restrictions.
Google also warns that if a request is blocked, the browser automatically reloads the page to allow the request to pass, since it will be treated as an internal connection. To prevent this, Google suggests blocking automatic page reloading if the "Protect Private Network Access" feature previously blocked it.
When this happens, the web browser displays an error message indicating that you can allow the request to be executed by manually reloading the page, as shown below.
The Google initiative is aimed at ensuring the security of devices and servers in user local networks, preventing external access to routers and local software interfaces. With the increasing number of applications relying on web interfaces without built-in protection, the importance of such security measures is steadily increasing.
Google is developing a new feature aimed at protecting devices and services in private networks from attacks by malicious sites on the Internet. This innovation will help prevent the possibility of attacks on devices such as printers or routers that are located in users ' homes. Although these devices are not directly connected to the Internet, they are usually considered secure because they are located behind a router.
The main task of the new feature, called "Private Network Access Protection", is to perform checks before a public site redirects the user's browser to another site inside their private network. These checks include verifying the security of the original request and sending a preliminary request to check whether access to the target site (for example, to the HTTP server running on the local address or to the web panel of the router) is allowed from the public site through specific requests called CORS-preflight.
As an example, Google cites a case when a malicious site tries to change the DNS configuration of a user's router through a CSRF attack using an HTML iframe.
Code:
<iframe href="https://admin:[email protected]/set_dns?server1=123.123.123.123">
</iframe>Based on the new security measures, when the browser notices an attempt by a public site to connect to a device on the local network, it initiates sending a preliminary request to this device. If there is no response, the connection is automatically blocked, preventing a potential threat. However, if the device responds to the request, it can inform the browser about the validity of the requested action using the "Access-Control-Request-Private-Network" header, thereby controlling access from the external network. This provides an additional layer of protection for devices inside a private network, increasing their security in the face of external attacks.
At the initial stage, even if the checks are not passed, the function will not block requests, and developers will see a warning in the DevTools console, which will give them time to adapt before introducing stricter restrictions.
Google also warns that if a request is blocked, the browser automatically reloads the page to allow the request to pass, since it will be treated as an internal connection. To prevent this, Google suggests blocking automatic page reloading if the "Protect Private Network Access" feature previously blocked it.
When this happens, the web browser displays an error message indicating that you can allow the request to be executed by manually reloading the page, as shown below.
The Google initiative is aimed at ensuring the security of devices and servers in user local networks, preventing external access to routers and local software interfaces. With the increasing number of applications relying on web interfaces without built-in protection, the importance of such security measures is steadily increasing.
