Chrome is deprecating direct access to private network endpoints from public websites

We can easily access sites on the public network using a browser, as well as access the internal LAN used by routers or other internal network devices. But in the past, sites on the public network can also call some resources to access the local area network. Usually, it is not necessary for public sites to access the internal network. So in the upcoming Chrome 98 and Chrome 101 versions, Google will gradually implement what is called Private Network Access (PNA) in the relevant W3C standard. When private network access is enabled, any public site that wants to access LAN resources must check cross-site resource sharing and obtain permission before requesting.

Relationship between public, private, local networks in Private Network Access (CORS-RFC1918)

The most common intranet device in the family is the router. The router can be accessed using the default address of the local area network, and some users will not change the router password. In addition, many routers have vulnerabilities because they have not been updated for a long time, so attackers can conduct attacks by tricking users to visit public sites. Based on this situation, the new policy implemented by Google will restrict public sites. If a public site wants to access internal resources, it must issue a cross-site resource request in advance. It can only be called after obtaining browser approval and the internal server responds and authorizes it, so as to avoid some attackers using cross-site request forgery to launch attacks. If developers do want to call private network resources from the public network, it is recommended to read the new policy implemented by Google in advance and add corresponding headers in HTML.