This is a repost from the QZ tray folks regarding a potential upcoming change that would affect QZ tray or any similar product. QZ tray is the new no-popup required, printing helper application that was released for ExpressCheck Web in version 7.7 and for Leap in version 7.8.
This might include an impact on the Leap Security helper application used for RFID tags.
The WICG (Web Incubator Community Group) has decided to impose additional restrictions on communications between web browsers and local applications (such as QZ Tray) to counter malicious activity.
This change, called “Local Network Access” (LNA), WILL impact all clients running QZ Tray once it is rolled out.
While the WICG has acknowledged our need to whitelist this connection attempt, the rollout is proceeding much faster than we anticipated. This aggressive timeline prevents projects like QZ Tray from implementing better messaging, improved whitelisting, and reliable detection mechanisms, ultimately harming honest software companies (like us) who are trying to comply with these new rules.
Key Impacts & Concerns:
-
Pop-up Warnings: All users will soon see a confusing pop-up warning (e.g.,
"``example.com`` wants to Look for and connect to any device on your local network") upon initial connection, which may prompt them to click BLOCK despite QZ Tray only connecting to itself onwss://localhost:8181. -
Fast Rollout: The WICG’s implementation timeline is too aggressive, happening faster than QZ Tray can implement necessary solutions like better client-side messaging and graceful error handling.
-
Lack of Control: The WICG has provided no mechanism for fine-grained control at the application level, meaning QZ Tray cannot set up whitelisting preferences in advance for users; though Chrome offers some flag/enterprise policy options they’re either too broad to be secure, or too specific to be suitable for us.
-
No Detection: There is no official timeline for the promised client-side detection of this pop-up, leaving QZ Tray unable to gracefully handle the change before the browser rollout occurs.
What can be done:
-
Power-users, developers and System Administrators can share their concerns directly with the WICG on the LNA issue tracker (github).
-
Enterprise Chrome environments can get ahead of this rollout by temporarily disabling the LNA pop-ups or via enterprise whitelisting.
-
Firefox users can read-up about their implementation here however enterprise policies seem to be waiting on Chrome first.
-
Become familiar with this new pop-up by testing beta versions of your web browser.
