Private Network Access (PNA) (noun)
Rick Howard: The word is: PNA.
Rick Howard: Spelled: P for private, N for network, and A for access
Rick Howard: Definition: a browser configuration control that prevents accessing resources within a private network.
Rick Howard: Example sentence: Chrome is deprecating access to private network endpoints from non-secure websites as part of the Private Network Access specification.
Rick Howard: Origin and context: Google rolled out the cross-origin resource sharing protocol, or CORS, to its Chrome browser early in 2022. According to Titouan Rigoudy at Google, the CORS goal is 'to protect users from cross-site request forgery attacks, or CSRF attacks, targeting routers and other devices on private networks." In other words, with this control turned on, any attacker that has taken control of a browser page will not be able to connect to any local network resources that don't already connect to the public internet.
Rick Howard: Software developers, Ryan Sleevi, Titouan Rigoudy, and Frédéric Wang explained on a GitHub page, "this specification only affects requests from a public IP address to a private IP address or local host, and requests from a private IP address to local host. This may change to cover all cross origin requests to the private network in the future."
Rick Howard: Simon Kölsch at innoQ notes that websites and applications may need to adjust this change to continue functioning properly. "It might not affect you at all if the user facing part of your application is hosted on servers within a public IP range. If however your application is included in an iframe and access through your local internet, like your VPN, you might run into problems with Chrome."
Rick Howard: Nerd reference: On the IT Pro TV show in January, 2022, Daniel Lowrie talked about the significance of the Google CORS initiative.
Daniel Lowrie: What they're trying to implement is a new protocol to stop malware from reaching inside of your own home personal network and accessing resources there. That's what this is all about.
Daniel Lowrie: So it is a security bump, like so that they don't go, oh, well, how about that? There's a nice router at 192168.0.1, maybe it has a vulnerability that I can exploit and start to have some sort of conversation with it.
Daniel Lowrie: So from now on what it'll do with this new protocol is it will say if I receive a request for an internal resource, it must first pass the test that we allow that type of thing. If it doesn't, which by default, nothing will, then it won't allow access into those resources.
Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.