In order to establish connections to devices on a local network that do not have globally unique names, and therefore cannot obtain TLS certificates, this feature introduces a new option to `fetch()` to declare a developers' intent to talk to such a device, a new policy-controlled feature to gate each sites' access to this capability, and new headers for the server's preflight response to provide additional metadata.
We've gotten substantial negative feedback during our deprecation trial around the secure context restriction. Large group of local devices show out to be not able to obtain TLS certificates for various of reasons. With the interaction of mixed content restriction, we're left with two options: 1. Remove the restriction, which would give active network attackers the ability to initiate requests to network devices from user's machines. 2. Relax the mixed content restriction for the specific case of private network resources. The former would weaken everyone's security. The latter can be effectively governed by users, limiting the risk to those who need to accept it.
Docs: https://docs.google.com/document/d/1Q18g4fZoDIYQ9IuxlZTaItgkzfiz_tCqaEAI8J3Y1WY/edit https://github.com/WICG/private-network-access/blob/main/permission_prompt/security_privacy_self_review.md
Samples: https://drive.google.com/file/d/1pnyQfIsXdtJnZoCBVSt4xim0yXjZ0Aqc/view?usp=sharing
Explainers: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md