Background
Chrome 94 introduced a block on private network access from non-secure public websites. The ongoing Private Network Access from non-secure contexts deprecation trial has revealed challenges in migrating affected websites to HTTPS. A common concern is the difficulty of migrating private devices to HTTPS, leading to mixed content check violations.
To address the previously mentioned challenge, a new permission prompt is available under an origin trial from Chrome 120
Permission prompt as the new option
By adding the new targetAddressSpace attribute as a fetch option, the request will be able to skip the mixed content check.
Example:
fetch("http://router.local/ping", {
targetAddressSpace: "private",
});
In accordance with the Private Network Access: introducing preflights, any private network request will be preceded by a preflight request. This preflight request will include a new header, Access-Control-Request-Private-Network: true, and the corresponding response must include the header Access-Control-Allow-Private-Network: true.
To accommodate the new permission prompt, we required devices to incorporate two new response headers: Private-Network-Access-Name and Private-Network-Access-ID.
Private-Network-Access-Name: <some human-readable device name>
Private-Network-Access-ID: <the MAC address of the device>
Example:
Private-Network-Access-Name: "My Smart Toothbrush"
Private-Network-Access-ID: "01:23:45:67:89:0A"
Private-Network-Access-ID: A 48-bit value presented as 6 hexadecimal bytes separated by colons.
Private-Network-Access-Name: A valid name as a string that matches the ECMAScript regular expression /^[a-z0-9_-.]+$/. The maximum length of the name is 248 UTF-8 code units.
Demo
You can check out the demo at: https://private-network-access-permission-test.glitch.me/.
Register for an origin trial
To ensure that Private Network Access Permission Prompt helps developers adopt secure context restrictions for private network access, we are making them available in Chrome from version 120 to 122 as an origin trial.
Register for the origin trial to enable your website to use the permission prompt:
- Request a token for your origin.
- Use the token in one of the following ways:
- In your HTML:
html <meta http-equiv="Origin-Trial" content="TOKEN_GOES_HERE"> - In your JavaScript:
js const meta = document.createElement('meta'); meta.httpEquiv = 'Origin-Trial'; meta.content = 'TOKEN_GOES_HERE'; document.head.append(meta); - In the HTTP headers:
text Origin-Trial: TOKEN_GOES_HERE
- In your HTML:
For any feedback or suggestions regarding this feature, please file an issue in the GitHub repository.