Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Chrome to bolster CSRF protections with CORS preflight checks on private network requests

Chrome is deprecating direct access to private network endpoints from public websites in order to protect users from cross-site request forgery (CSRF) attacks.

Part two of the browser’s implementation of the Private Network Access (PNA) specification, the move is specifically designed to block CSRF assaults that target routers and other devices on private networks.

“These attacks have affected hundreds of thousands of users, allowing attackers to redirect them to malicious servers,” explained Chrome software engineer Titouan Rigoudy and Google developer advocate Eiji Kitamura in a blog post.

Preflight screening

A two-part phased rollout of the change will begin with Chrome 98 – expected to land in early February – sending Cross-Origin Resource Sharing (CORS) preflight requests ahead of private network subresource requests.

Regardless of the private network request’s method and mode, the preflight requests will request permission from target websites to send HTTP requests with the header Access-Control-Request-Private-Network: true. If permission is granted, the response will carry the header Access-Control-Allow-Private-Network: true.

“This ensures that the target server understands the CORS protocol and significantly reduces the risk of CSRF attacks,” said Rigoudy and Kitamura.

Phased rollout

Preflight failures will trigger warnings in DevTools without otherwise affecting private network requests.

However, from Chrome 101 at the earliest – contingent on the results of first-phase compatibility data and first contacting the largest affected websites – rejected preflight requests will be blocked.

Web admins can test whether their websites will work after this second phase with a command-line argument – Access-Control-Allow-Private-Network: true – that generates failed fetches for unsuccessful preflight requests.

Although the Chrome team does not expect the first phase to break any websites, they nevertheless urge webmasters to update affected request paths by handling preflight requests on the server side or disabling PNA checks with enterprise policies.

A deprecation trial lasting at least six months will begin at the outset of phase two to allow affected websites to request a time extension.

PNA implementation timeline

Formerly known as CORS-RFC1918, PNA restricts the ability of websites to send requests to servers on networks that are more private than the network from which the request is initiated.

Chrome has already implemented part of the specification in Chrome 96, since when only secure contexts have been permitted to make private network requests.

The specification also extends the Cross-Origin Resource Sharing (CORS) protocol to require websites to explicitly request a grant from servers on private networks before being allowed to send arbitrary requests.

The Chrome team is “tentatively aiming” to introduce phased rollouts for extending PNA checks further to cover dedicated, shared, and service web workers from Chrome 100, and to cover navigations, including iframes and popups, from Chrome 102.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/chrome-to-bolster-csrf-protections-with-cors-preflight-checks-on-private-network-requests

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Recently, Google released an emergency security update to fix another Chrome zero-day vulnerability actively exploited in the wild. This zero-day flaw has been tracked...

Cyber Security

A recently patched bug in the Chromium project could allow malicious actors to bypass a security feature that protects sensitive cookies on Android browsers....

Cyber Security

Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn. The team from Google went...

Cyber Security

Tesla is one of several organizations to remedy cross-origin resource sharing (CORS) misconfigurations after security researchers proved they could exfiltrate data from the carmaker’s internal network....

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO