We propose to block access to IP address 0.0.0.0 in advance of PNA completely rolling out. Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification (https://developer.chrome.com/blog/private-network-access-preflight/). Services listening on the localhost (127.0.0.0/8) are considered private according to the specification (https://wicg.github.io/private-network-access/#ip-address-space-heading). Chrome's PNA protection (rolled out as part of https://chromestatus.com/feature/5436853517811712) can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux. This can also be abused in DNS rebinding attacks targeting a web application listening on the localhost. Since 0.0.0.0 is not used in practice (and should not be used), but was overlooked during https://chromestatus.com/feature/5436853517811712, we're deprecating it separately from the rest of the private network requests deprecation.
Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification (https://developer.chrome.com/blog/private-network-access-preflight/). Services listening on the localhost (127.0.0.0/8) are considered private according to the specification (https://wicg.github.io/private-network-access/#ip-address-space-heading). Chrome's PNA protection can be bypassed using the IP address 0.0.0.0 to access services listening on the localhost on macOS and Linux. This can also be abused in DNS rebinding attacks targeting a web application listening on the localhost. See more: https://crbug.com/1300021