A new feature of Google Chrome blocks attacks on home networks
Google is testing a new feature that prevents attacks using malicious public websites through users’ browsers on private networks. It will allow you to protect printers, routers and other devices that are not directly connected to the Internet.
“Private network access protection” feature will start working in Google Chrome 123 browser in “warning only” mode. It will scan public sites and redirects from them. Yes, the function will check if the redirect resource allows access from a public website through certain requests called CORS-preflight requests.
In Google’s example, developers demonstrate an HTML iframe on a public website that performs a CSRF attack that changes the DNS configuration of the visitor’s router on their local network.
<iframe href="https://admin:[email protected]/set_dns?server1=123.123.123.123">
</iframe>
Now, when a browser detects that a public site is trying to connect to an internal device, the connection will be blocked when making such a preliminary request. It can be allowed using the “Access-Control-Request-Private-Network” header.
So far, in the warning phase, the function will not block requests. Instead, developers will see a warning in the DevTools console that the validation failed.
However, Google warns that automatically restarting the browser will allow the request to go through even after blocking it. To prevent this from happening, the company suggests blocking the page’s automatic reload. In this case, the browser will display an error message indicating that the request can be allowed by manually reloading the page as shown below.