Connections to HTTP, HTTPS or FTP servers on ports 69, 137, 161, 1719, 1720, 1723 or 6566 will fail. This is a mitigation for the NAT Slipstream 2.0 attack: It helps developers by keeping the web platform safe for users.


The NAT Slipstream 2.0 attack is a kind of cross-protocol request forgery which permits malicious internet servers to attack computers on a private network behind a NAT device. The attack depends on being able to send traffic on port 1720 (H.323). To prevent future attacks, this change also blocks several other ports which are known to be inspected by NAT devices and may be subject to similar exploitation.


Specification link

Specification being incubated in a Community Group

Status in Chromium


Enabled by default

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.



HTTP servers using one of the listed ports will be inaccessible. They will have to be modified to run on different ports, and all referring urls updated. Legitimate use of these ports for HTTP servers is rare. This change has already shipped in a point release 87.0.4280.117. At the time the security issue was not disclosed, so the intent to ship is being sent after shipping.

Last updated on 2022-01-14