Google is developing a new function aimed at protecting devices and services in private networks from attacks of harmful sites on the Internet. This innovation will help prevent the possibility of attacks on devices such as printers or routers that are in user homes. Although these devices are not connected directly to the Internet, they are usually considered protected because they are behind the router.
The main task new function, called “Protection of private network access”, is to conduct checks before carrying out before The public site will redirect the user browser to another site inside his private network. These checks include verification of the safety of the initial request and sending a preliminary request for verification whether access to the target site is allowed (for example, to the HTTP server working on a local address or to a route web) from a public site through specific requests, called Cors-preflight.
As an example, Google cites a case when the malicious site is trying to change the DNS-configuration of the user’s router through the CSRF attack using HTML iframe.