The PNA will add a mechanism which will make websites to ask systems inside the local private networks for permission before they can interact with them. This permission request will carry a new header, Access-Control-Request-Private-Network: true and only when the response to this preflight is also true the interaction will be permitted, said Eiji Kitamura and Titouan Rigoudy, Google. If otherwise, then the sites will be blocked from connecting with the devices.

What is Private Network Access?

Private Network Access limits a website’s ability to query devices in the private networks. This limitation specification is also extended to Cross-Origin Resource Sharing protocol so sites can access the devices only after the permission is granted from the servers.

Attackers manipulation on Browsers to breach networks will become limited

This introduction of Private Network Access will increase the security posture of Chrome users. Threat actors have been exploiting browsers for the proxy connections that’s inside a organization’s internal network.

To understand this security enhancement plans in details lets consider a scenario where a malicious website is trying to establish contact with a IP address like 192.130.40.28, which is the address of a router and can be accessed only from the internal local network. When users in this network browse malicious websites, Chrome can make an automated request to their router without admin or user’s knowledge, it can also run malicious commands bypassing the router security layers altering router configurations.

The above manipulation of attacks have been seen in the wild with DNS Changer malware attacking home routers in 2016. These attacks can also target other devices within the network including servers, desktops, laptops, domain controllers, applications and firewalls.

Private Network Access and their preflights

Preflight request is a mechanism introduced by the Cross-Origin Resource Sharing (CORS) standard used to request permission from a website before sending it an HTTP request that might have some after affects. This ensures that the target server understands the CORS protocol and significantly reduces the risk of CSRF attacks.

The PNA has already been included in the Chrome 96 version but the complete support is yet to be fully supported this year in Chrome 98 and Chrome 101. The Chrome 98 will  see the initial introduction of the preflight requests while Chrome 101 will evaluate websites the query and reliability of PNA. Only if the entire thing is reviewed to be safe and stable the same will be fully deployed into Chrome.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.