Requires that private network requests for subresources may only be initiated from a secure context. "Private network requests" are those initiated from a public network, targeting a private network. Examples include internet to intranet requests and intranet loopbacks. This is a first step towards fully implementing CORS-RFC1918:


Servers running inside local networks, or on a user's device, expose powerful capabilities to the web in ways that can be quite dangerous. CORS-RFC1918 proposes a set of changes to limit the impact of requests to these servers by ensuring that the servers are opting-into any communication with external entities. For this opt-in to have any meaning, the servers need to be able to ensure that the client origin is authenticated. To that end, only secure contexts are empowered to make external requests. This change is separable from the rest of CORS-RFC1918, and we can make it now, before the rest of the larger feature is ready.



Editor's draft

Status in Chromium


In developer trial (Behind a flag) (tracking bug) in:

  • Chrome for desktop release 86
  • Chrome for Android release 86

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • Negative


Intent to Prototype url

Intent to Prototype thread


"Ready for Trial" update was sent as a follow-up email to the I2I thread started long ago by

Last updated on 2020-11-23