Restricts the ability to make requests to the user's local network, gated behind a permission prompt. A local network request is any request from a public website to a local IP address or loopback, or from a local website (e.g. intranet) to loopback. Gating the ability for websites to perform these requests behind a permission mitigates the risk of cross-site request forgery attacks against local network devices such as routers, and reduces the ability of sites to use these requests to fingerprint the user's local network. This permission is restricted to secure contexts. If granted, the permissions additionally relaxes mixed content blocking for local network requests (since many local devices are not able to obtain publicly trusted TLS certificates for various reasons). This work supersedes a prior effort called "Private Network Access" (e.g., https://chromestatus.com/feature/5737414355058688, https://chromestatus.com/feature/5954091755241472) which used preflight requests to have local devices opt-in.
Interoperability risks: LNA requires a Secure Context to make local network requests, but exempts some of these local network requests from mixed content checks (if the user grants permission). If another browser does not implement LNA, these same local network requests might be blocked as mixed content, or the site might need to serve over HTTPS for Chrome and over HTTP for browsers that don't implement LNA (to avoid triggering mixed content). Compatibility risks: There are some local network requests types that we cannot know ahead of time will be going to the local network (e.g., a subresource request to http://test.example which then resolves to 192.168.0.1). These would be blocked as mixed content, as mixed content checks happen before hostname resolution (i.e., they occur before "Obtain a connection" in Fetch). Explicit local IP addresses, `.local` domains, and fetch() requests with the new `targetAddressSpace` fetch() option are exempted from mixed content checks, but other connection types may be difficult for developers (e.g., WebSockets https://github.com/explainers-by-googlers/local-network-access/issues/16). We hope that our Dev Trial will help identify compatibility issues. When we fully ship we also plan on running a reverse origin trial to allow sites to (temporarily) opt-out of the secure contexts requirement -- this would be an escape hatch for mixed content.
N/A
A new permission will be shown to users, which may be unexpected, and if users deny the permission functionality may break (potentially requiring additional support from site owners). Part of our goal for having a Dev Trial is to give site owners time to adjust their requests (especially if they need to use the mixed content exemptions) and to potentially adapt their UX flows so the permission requests are less surprising to users.
Exempting some requests from mixed content checks based on declared targetAddressSpace could potentially be used to arbitrarily bypass mixed content. To avoid this, LNA does an additional check that the actual resolved address space matches what was declared, and blocks the request if it does not.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
When a request would be blocked under LNA, we add a new DevTools Issue with details.
Android WebView currently doesn't support letting apps grant any new permission types, so the Local Network Access permission is currently unconditionally granted in WebView. Android is separately adding a Local Network permission which would apply to the app that embeds a WebView https://developer.android.com/privacy-and-security/local-network-permission
We have started working on building out a test suite but it is still a work-in-progress. https://wpt.fyi/results/fetch/local-network-access
DevTrial on desktop | 138 |
DevTrial on Android | 139 |