Paul SerbanSoftware Engineer

Best Practices for Configuring Local Network Permissions in ChromeHow to use policies like allow='local-network-access' effectively

Introduction

Chrome has increasingly tightened control over local network access, introducing features and restrictions aimed at enhancing security. With the release of Chrome version 142, new measures such as the allow="local-network-access" attribute, Local Network Access (LNA) permissions, and CORS adjustments like Access-Control-Allow-Private-Network have become pivotal for developers configuring local network access.

If you're developing for applications that interact with local resources (like IoT devices, printers, or GeoComply services), failing to configure these correctly could result in blocked requests, security warnings, or broken functionality. In this blog post, we'll explore best practices for setting up local network permissions in Chrome, including how to handle nested iframes, permissions policies, and appropriate HTTP headers.

Chrome's Local Network Access: A Brief Overview

Local Network Access is a security feature designed to prevent malicious websites from accessing resources in your private network (such as local servers or devices). Starting with Chrome 142, this feature introduces stricter preflight checks and user permissions.

One key component is the prompt for Local Network Access: when a page attempts to access localhost (127.0.0.1) or a private network IP address (e.g., 192.168.x.x), users must explicitly allow access. This prevents cross-origin resource sharing (CORS) issues and enforces better security hygiene.

Moreover, nested iframes require properly delegated permissions. Without the allow="local-network-access" attribute, any embedded iframes attempting local network access will be blocked by Chrome, even if the top-level page has permission.

Configuring Iframe Permissions with allow="local-network-access"

When embedding iframes in your application, you must explicitly specify the permissions delegated to them. In recent Chrome updates, the allow attribute controls which features or APIs are accessible to the iframe. For Local Network Access, ensure your iframe tag includes the local-network-access policy.

Example Usage:

<!-- Correctly configured iframe -->
<iframe 
    src="https://<subdomain>.example.com/" 
    allow="local-network-access">
</iframe>

Without this attribute, iframe requests to local network addresses will result in the following error:

Access to XMLHttpRequest at 'http://127.0.0.1:53280/check' from origin 
'https://<subdomain>.example.com' has been blocked by CORS policy.

For nested iframes, permissions must be granted at each level in the hierarchy. For example, if launcher.myapp.com embeds dashboard.myapp.com, and dashboard.myapp.com further embeds local-device.myapp.com, both iframes require explicit allow="local-network-access" attributes.

Testing Iframe Permissions:

Use the following script to check whether the iframe has been granted local-network-access:

console.log(document.featurePolicy.allowsFeature('local-network-access'));

If it returns false, update the embedding page with the appropriate policy.

Setting HTTP Headers: The Role of Access-Control-Allow-Private-Network

In addition to iframe policies, HTTP headers play a vital role in enabling local network access. Specifically, Chrome introduces the Access-Control-Allow-Private-Network header to indicate that private network resources are accessible.

Example Backend Configuration (Node.js/Express)

app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', 'https://your-app.com');
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  res.setHeader('Access-Control-Allow-Private-Network', 'true'); // Critical for Chrome 142+
  next();
});

Failure to include this header results in preflight request failures and warnings in Chrome DevTools. This is particularly important when fetching resources from localhost or private IPs in enterprise deployments.

Debugging Issues with navigator.permissions.query

Chrome exposes a developer-friendly API that allows you to programmatically check the status of the local-network-access permission using JavaScript:

navigator.permissions.query({ name: "local-network-access" })
  .then(permission => {
    console.log('Local Network Access Permission:', permission.state);
    // Possible values: 'granted', 'denied', 'prompt'
    if (permission.state === 'denied') {
      alert('Local network access is blocked. Please update browser settings.');
    }
  })
  .catch(err => console.error('Permission query failed:', err));

This can be particularly useful in debugging scenarios where you need to determine why a request was denied. It also allows you to provide better feedback to users by guiding them on how to manually grant permissions.

Best Practices for Long-Term Compatibility

  1. Apply Permissions Incrementally: Use the allow attribute sparingly, only granting the permissions your iframe absolutely needs. Avoid wildcard policies (allow="*").

  2. Use Explicit Origins: When configuring Access-Control-Allow-Origin, avoid using * in production. Specify the exact origins that should be allowed to access local resources.

  3. Prepare for Policy Deprecations: Note that temporary policies, like LocalNetworkAccessRestrictionsTemporaryOptOut, will be removed in Chrome 146. Plan long-term fixes, including frontend/iframe configurations and backend headers.

  4. Educate End Users: Chrome’s permission prompts can confuse users. Provide proper messaging in your app that explains why access is required and how they can grant it.

  5. Test in Nested Iframes: Frequently verify that local access works seamlessly in different embedding contexts. This is especially critical for enterprise apps with complex navigation stacks.

Conclusion

As Chrome evolves, its new restrictions on local network access present unique challenges but also opportunities to improve security. By following best practices like using the allow="local-network-access" attribute, setting proper HTTP headers, and leveraging helpful debugging tools like navigator.permissions.query, developers can ensure that their applications remain functional and compliant.

Local network access is here to stay as a core security concern for modern browsers. Adapting to and embracing these changes will not only future-proof your applications but also build greater trust with your users. Start implementing these recommendations today and keep your app ahead of the curve.