Private Network Access on hold

Published: October 9, 2024

Private Network Access (PNA) is a security feature that prevents public websites from accessing endpoints on the private network without those endpoints explicitly opting-in. This prevents a variety of attacks such as Cross-Site Request Forgery (CSRF). PNA allows only secure contexts to request subresources from the private network, and eventually, the goal is that all private network requests will only work if the endpoint opts in by responding to a preflight request.

We had previously announced that PNA preflight requests would be enforced from Chrome 130. This rollout is currently on hold due to a number of compatibility problems.

Private network requests are currently restricted to secure contexts only, with a deprecation trial for websites to opt out. PNA preflights are not currently enforced. We recently added 0.0.0.0/8 to Private Network Access, addressing an issue in the specification. This means that insecure contexts are restricted from accessing 0.0.0.0/8, and any further rollouts of PNA enforcement will treat 0.0.0.0 as a local address. We are considering alternatives such as additional permissions to ease the rollout, and we'll post to this blog with more information once we've determined a new rollout plan.