Possible impact of W3C Private Network Access aka CORS-RFC1918

[peterbrightwell]

Chrome 117, due in September 2023 will turn on Private Network Access (formerly known as CORS-RFC1918) meaning that "public non-secure contexts (broadly, websites that are not delivered over HTTPS or from a private IP address) are forbidden from making requests to the private network".

It looks like Google have been trialling this for some time, and e.g. Mozilla are watching, so might become standard for browsers?

This potentially could affect access to NMOS services/resources that don't use HTTPS in some cases, such as when multiple subnets are involved.

Note: BCP-003-01 recommends use of HTTPS for NMOS.

See https://developer.chrome.com/blog/private-network-access-update/ for more details. This links to ways of disablilng this feature by setting user policy – though that doesn't seem a good long-term solution, which is of course to use HTTPS.

See also: https://chromestatus.com/feature/5954091755241472

Thanks to @garethsb for spotting this.