Google Chrome has announced plans to prohibit public websites from directly accessing endpoints located within private networks as part of an upcoming major security shakeup to prevent intrusions via the browser.
The proposed change is set to be rolled out in two phases consisting of releases Chrome 98 and Chrome 101 scheduled in the coming months via a newly implemented W3C specification called private network access (PNA).
“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server,” Titouan Rigoudy and Eiji Kitamura said. “This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.”
images from Hacker News