On 2/19/26 2:29 p.m., Chromestatus wrote:
*Contact emails*
[email protected]
*Explainer*
https://github.com/WICG/local-network-access/blob/main/explainer.md#websockets
*Specification*
https://wicg.github.io/local-network-access/#integration-with-websockets
*Summary*
Local Network Access(LNA) restrictions are being expanded to include
WebSockets. WebSockets connections to local address will now start
triggering permission prompts. All of the current LNA enterprise
policies will still apply to the LNA WebSockets restrictions
(LocalNetworkAccessAllowedForUrls, LocalNetworkAccessBlockedForUrls,
and LocalNetworkAccessRestrictionsTemporaryOptOut). More information
about LNA can be found at
https://developer.chrome.com/blog/local-network-access
*Blink component*
Blink>SecurityFeature>LocalNetworkAccess
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ELocalNetworkAccess%22>
*Web Feature ID*
local-network-access
<https://webstatus.dev/features/local-network-access>
*Motivation*
Local WebSockets connections are subject to many of the same attacks
that the original LNA proposal are designed to solve. This would add
the same controls that were implemented in the original LNA proposal
to WebSockets
*Initial public proposal*
/No information provided/
*TAG review*
/No information provided/
*TAG review status*
Pending
*Risks*
*Interoperability and Compatibility*
Interoperability risks: LNA requires a Secure Context to make local
network requests, but exempts some of these local network requests
from mixed content checks (if the user grants permission). If another
browser does not implement LNA, these same local network requests
might be blocked as mixed content, or the site might need to serve
over HTTPS for Chrome and over HTTP for browsers that don't implement
LNA (to avoid triggering mixed content). Compatibility risks: There
are some local network requests types that we cannot know ahead of
time will be going to the local network (e.g., a subresource request
to http://test.example which then resolves to 192.168.0.1). These
would be blocked as mixed content, as mixed content checks happen
before hostname resolution (i.e., they occur before "Obtain a
connection" in Fetch). Explicit local IP addresses, and `.local`
domains are exempted from mixed content checks, but we do not have an
equivalent to the `targetAddressSpace` fetch() option for WebSockets
We hope that our Dev Trial will help identify compatibility issues.
The LNA reverse origin trial will provide a temporary opt-out for
those that are not able to bypass the mixed content checks currently
Do you have an update here? DevTrial isn't the best way to assess actual
compatibility (because it relies on people finding your blog post /
blink-dev email). Is it not possible to add metrics to understand the
potential impact?
/Gecko/: No signal
/WebKit/: No signal
/Web developers/: No signals
/Other signals/:
*Activation*
A new permission will be shown to users, which may be unexpected, and
if users deny the permission functionality may break (potentially
requiring additional support from site owners). As this is building
off of the first Local Network Access launch, this should be a minimal
risk, but has a chance of impacting those who are impacted by this
launch but were not impacted by the original Local Network Access launch.
*WebView application risks*
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
/No information provided/
*Debuggability*
/No information provided/
*Will this feature be supported on all six Blink platforms (Windows,
Mac, Linux, ChromeOS, Android, and Android WebView)?*
No
This is unsupported on WebView for the same reasons that Local Network
Access is unsupported on WebView
*Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?*
No
*DevTrial instructions*
https://docs.google.com/document/d/1GHbpRTCnfDXq9o8WKyrG7oPAiWC6Yozac-PvbfO3KoY/edit?usp=sharing
*Flag name on about://flags*
local-network-access-check-websockets
*Finch feature name*
LocalNetworkAccessChecksWebSockets
*Rollout plan*
Will ship enabled for all users
*Requires code in //chrome?*
False
*Tracking bug*
https://crbug.com/421156866
*Measurement*
Use counters: - PrivateNetworkAccessWebSocketConnected counts the
number of LNA WebSockets request we see -
LocalNetworkAccessWebSocketResourceNotKnownPrivate - counts cases in
which a `targetAddressSpace` option could have helped bypass mixed
content checks
*Estimated milestones*
Shipping on desktop 147
DevTrial on desktop 142
Shipping on Android 147
DevTrial on Android 142
*Anticipated spec changes*
Open questions about a feature may be a source of future web compat or
interop issues. Please list open issues (e.g. links to known github
issues in the project for the feature specification) whose resolution
may introduce web compat/interop risk (e.g., changing to naming or
structure of the API in a non-backward-compatible way).
/No information provided/
*Link to entry on the Chrome Platform Status*
https://chromestatus.com/feature/5197681148428288?gate=5077674561241088
*Links to previous Intent discussions*
Intent to Prototype:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68b9e717.050a0220.3291f8.09fe.GAE%40google.com
Intent to Experiment:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHEiSH2ujeQQ0jJw1eYb-WfS1Ozw%2Bc4%2BX%2BrSxTD%2B524wMYbknQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status
<https://chromestatus.com>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69976492.2b0a0220.19817b.07d3.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69976492.2b0a0220.19817b.07d3.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fea9052b-c3b3-4d34-ad00-4bcd542e0b2f%40chromium.org.
