Intent to Prototype: Local network access restrictions for WebSockets

89 views
Skip to first unread message

Chromestatus

unread,
Sep 4, 2025, 3:23:23 PMSep 4
to blin...@chromium.org, cth...@chromium.org, dad...@google.com, jdeb...@chromium.org, hc...@chromium.org

Contact emails

hc...@chromium.org

Explainer

https://github.com/WICG/local-network-access/blob/main/explainer.md#websockets

Specification

None

Summary

Restricts the ability to make requests to the user's local network using WebRTC, gated behind a permission prompt. A local network request is any request from a public website to a local IP address or loopback, or from a local website (e.g. intranet) to loopback. Gating the ability for websites to perform these requests behind a permission reduces the ability of sites to use these requests to fingerprint the user's local network. This permission is restricted to secure contexts. This work is adding to the Local Network Access Restrictions work here: https://chromestatus.com/feature/5152728072060928



Blink component

Blink>SecurityFeature>LocalNetworkAccess

Motivation

Local WebSockets connections are subject to many of the same attacks that the original LNA proposal are designed to solve. This would add the same controls that were implemented in the original LNA proposal to WebSockets



Initial public proposal

None

TAG review

None

TAG review status

Pending

Risks



Interoperability and Compatibility

None



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

No

Flag name on about://flags

None

Finch feature name

LocalNetworkAccessChecksWebSockets

Requires code in //chrome?

False

Tracking bug

https://crbug.com/421156866

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5197681148428288?gate=5182539509661696

This intent message was generated by Chrome Platform Status.

Mike Taylor

unread,
Sep 8, 2025, 10:21:07 AMSep 8
to Chromestatus, blin...@chromium.org, cth...@chromium.org, dad...@google.com, jdeb...@chromium.org, hc...@chromium.org

On 9/4/25 3:23 p.m., Chromestatus wrote:

Contact emails

hc...@chromium.org

Explainer

https://github.com/WICG/local-network-access/blob/main/explainer.md#websockets

Specification

None

Summary

Restricts the ability to make requests to the user's local network using WebRTC, gated behind a permission prompt. A local network request is any request from a public website to a local IP address or loopback, or from a local website (e.g. intranet) to loopback. Gating the ability for websites to perform these requests behind a permission reduces the ability of sites to use these requests to fingerprint the user's local network. This permission is restricted to secure contexts. This work is adding to the Local Network Access Restrictions work here: https://chromestatus.com/feature/5152728072060928

I assume the mention of WebRTC here is a typo. Could we update the Chromestatus to mention WebSockets instead?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68b9e717.050a0220.3291f8.09fe.GAE%40google.com.

Hubert Chao

unread,
Sep 8, 2025, 10:30:37 AMSep 8
to Mike Taylor, Chromestatus, blin...@chromium.org, cth...@chromium.org, dad...@google.com, jdeb...@chromium.org
Oops, yes fixed. Thanks for catching that!


Reply all
Reply to author
Forward
0 new messages