Experimenting with Chrome's Private Network Access (PNA)
Private Network Access (PNA) is a security feature in Chrome that restricts public websites from accessing private network resources, enhancing user security. This guide details how to experiment with PNA features in Chrome, focusing on configurations and testing.
Secure Context Restriction
Starting with Chrome version 94, subresources embedded by public websites are subject to a secure context restriction. This feature is enabled by default and helps prevent malicious access to private networks.
You can manage this restriction via:
- Command-line flag:
--enable-features=BlockInsecurePrivateNetworkRequests - Chrome://flags:
chrome://flags/#block-insecure-private-network-requests - Deprecation trial
- Enterprise policies:
InsecurePrivateNetworkRequestsAllowedandInsecurePrivateNetworkRequestsAllowedForUrls
PNA Preflight Requests
PNA preflight requests are available from Chrome 98, initially in warning mode. These preflight requests precede actual private network requests to ensure compliance. You can switch between enforcing and warning modes using the following methods:
- Command-line flag:
--enable-features=PrivateNetworkAccessRespectPreflightResults - Chrome://flags:
chrome://flags/#private-network-access-respect-preflight-results
With the flag enabled, Chrome enforces preflight request success; failure prevents the actual request from being sent.
Navigations and Workers
PNA preflight requests extend to navigations and workers and can be configured using command-line flags:
--enable-features=PrivateNetworkAccessForNavigations--enable-features=PrivateNetworkAccessForWorkers--enable-features=PrivateNetworkAccessForNavigationsWarningOnly--enable-features=PrivateNetworkAccessForWorkersWarningOnly
The first two flags enable enforcement mode, while the latter two, when used with the first two, switch to warning-only mode.
Alternatively, use chrome://flags:
chrome://flags/#private-network-access-ignore-navigation-errorschrome://flags/#private-network-access-ignore-worker-errors
Timeout Reduction
To mitigate issues where private servers drop unknown preflight requests, Chrome implements a 200ms timeout limit. This prevents indefinite waiting on non-responding servers.
You can disable this timeout using the chrome://flag: chrome://flags/#private-network-access-preflight-short-timeout.
Permission Prompt
Chrome version 120 introduces a PNA permission prompt on desktop. This feature seeks user consent before allowing access to private networks.
You can control it via:
- Command-line flag:
--enable-features=PrivateNetworkAccessPermissionPrompt - Chrome://flags:
chrome://flags/#private-network-access-permission-prompt - Origin trial
Testing Your Implementation
For command-line flag settings refer to this resource. Test your web app using: https://private-network-access-test.glitch.me/ or https://private-network-access-permission-test.glitch.me/ for the permission prompt.
Errors will appear as CORS errors in the DevTools console and as "Blocked requests" in the network panel.
%3Amax_bytes(150000)%3Astrip_icc()%2FGettyImages-161098250-8b018914147e47728392551903055f58.jpg&w=3840&q=75)