Local Network Access

Local Network Access (LNA) restricts websites from making requests to local/private network resources without user permission. In Firefox, this is gated behind a permission prompt.

IP Address Spaces

The spec defines three address spaces, from most to least public:

A request from a more-public context to a less-public address is considered a local network request and requires permission.

Setup: Start a Local Server

The tests below need something listening on your machine. Without a running server, the browser can't distinguish "blocked by LNA" from "connection refused" — and won't show the permission prompt.

Pick one of the options below and run it in a terminal. Each starts an HTTP server on localhost:8080 that serves a simple page with permissive CORS headers, so every test button works out of the box. 


      

    


    

      

        
        

      

    


    

      

        
        

      

      

        This serves the current directory. Some test buttons (image, script,
        stylesheet) will only work if matching files exist. The Python and Node
        options return a response for any path.
      

    


    

      

        
        

      

      

        This serves the current directory. Some test buttons (image, script,
        stylesheet) will only work if matching files exist. The Python and Node
        options return a response for any path.
      

    


    

      Once you see "Listening on http://localhost:8080", you're ready to run the
      tests below.
    


    
Tests

    

      Mixed content note: This page is served over HTTPS, but
      the local server runs plain HTTP. Browsers treat
      loopback addresses (localhost,
      127.0.0.1, ::1) as trustworthy, so
      http:// requests to them are not blocked as mixed
      content. However, requests to
      private network addresses (192.168.x.x,
      10.x.x.x, etc.) over http:// will be
      blocked. Use the loopback presets for testing.
    


    

      
fetch() Test

      

        Try fetching a local/private network resource. The browser should show a
        permission prompt.
      


      

        Presets:
        
        
        
        
        
        
      


      

        
        
      

    


    

      
Subresource Tests

      
Load various subresource types from local network addresses.


      

        
      


      

        
        
        
        
      

    


    

      
iframe Embed

      
Embed a local network page in an iframe.

      

        
        
        
      

      

    


    

      About Permissions-Policy
      
Two policy-controlled features gate LNA:

      
      

        Default allowlist is 'self'. Cross-origin iframes need
        explicit delegation:
      

      
<iframe src="..." allow="local-network"></iframe>

    


    
Log