Steps to reproduce the problem

Enable Permission Prompt for Private Network Access experiment in about:flags or use an origin with active Origin Trial PrivateNetworkAccessPermissionPrompt
Install a Service Worker on a secure origin with the following code:

  const request = event.request;
  if (!request.url.startsWith(location.origin)) {
    // Skip cross origin requests
    return false;
  }
  event.respondWith(fetch(request));
});

Send a PNA enabled request from the application context, e.g.

fetch('http://privatehost.local', { targetAddressSpace: 'private' })

I've put together a minimal repro at the following URL: https://www.danielbaulig.de/pna-sw-bug/ Since the origin is not part of the Origin Trial, the experiment flag will need to be enabled.

Problem Description

Expected behavior: A PNA preflight request should be sent to the privatehost.local host and the actual request should only be sent upon successful response and user confirmation. With PNA Permission Prompt experiment disabled the UA will prevent the request due to the Mixed Content policy.

Actual behavior: No PNA preflight request is sent and no user confirmation prompted. The Mixed Content policy will also not prevent the request from being sent. The UA will send the request as instructed by the application, circumventing both the Mixed Content policy and PNA Permission Dialog.

More details relating to the bug can be found in https://github.com/WICG/private-network-access/issues/126#issue-2104329281

Summary

Security: Application can actively circumvent Mixed Content policy in PNA origin trial

Custom Questions

Which component does this fall under?

Not sure - I don't know

Does this work in other browsers?

Yes - This is just a Chrome problem

Additional Data

Category: API
Chrome Channel: Stable
Regression: N/A