AzureAD
ssoSilent fails in upcoming version of Chrome (142)
Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
4.25.0
Wrapper Library
Not Applicable
Wrapper Library Version
N/A
Public or Confidential Client?
Confidential, Public
Description
Version 142 (latest beta version) of chrome enables Local Network Access Restrictions [0] [1]. This breaks the ssoLogin function due to the following CORS error: LocalNetworkAccessPermissionDenied. Rather than returning account information, it causes a BrowserAuthError due to a timeout.
I'm able to reproduce this on older versions of chrome by manually enabling the following flag: chrome://flags/#local-network-access-check.
I was able to reproduce this with both msal-browser and msal-react. I've reproduced this locally and on deployed (non-localhost) websites.
Note that it seems like other browsers plan to include similar features so this issue might become more widespread.
Error Message
Network error CORS: LocalNetworkAccessPermissionDenied. That error causes the following upstream issue:
BrowserAuthError: monitor_window_timeout: Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors.
After doing some debugging. I was able to find the following error occurring in monitorIframeForHash function in SilentHandler.ts: Uncaught SecurityError: Failed to read a named property 'href' from 'Location': Blocked a frame with origin "http://localhost:5173" from accessing a cross-origin frame.
MSAL Logs
[MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - initialize called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - Executing function initializeCache auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Info - MSAL.js was last initialized by version: 4.25.0 auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - Returning result from initializeCache auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Verbose - Claims-based caching is disabled. Clearing the previous cache with claims auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - Executing function clearTokensAndKeysWithClaims auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - Returning result from clearTokensAndKeysWithClaims auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Verbose - handleRedirectPromise called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getTemporaryCache: No cache item found in local storage auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Info - handleRedirectPromise called but there is no interaction in progress, returning null. auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Verbose - handleRedirectPromise has been called for the first time, storing the promise auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Verbose - getAllAccounts called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : @azure/[email protected] : Verbose - ssoSilent called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - canUsePlatformBroker called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - canUsePlatformBroker: platform broker unavilable, returning false auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Warning - No user hint provided. The authorization server may need more information to complete this request. auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function standardInteractionClientInitializeAuthorizationRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - getRedirectUri called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function initializeBaseRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - Authentication Scheme wasn't explicitly set in request, defaulting to "Bearer" request auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from initializeBaseRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getActiveAccount: No active account filters found auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from standardInteractionClientInitializeAuthorizationRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - isPlatformAuthAllowed called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - isPlatformAuthAllowed: allowPlatformBroker is not enabled, returning false auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - initializeServerTelemetryManager called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function standardInteractionClientCreateAuthCodeClient auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function standardInteractionClientGetClientConfiguration auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function standardInteractionClientGetDiscoveredAuthority auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function authorityFactoryCreateDiscoveredInstance auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function authorityResolveEndpointsAsync auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function authorityUpdateCloudDiscoveryMetadata auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - Attempting to get cloud discovery metadata from authority configuration auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values. auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - Found cloud discovery metadata from hardcoded values. auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from authorityUpdateCloudDiscoveryMetadata auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function authorityUpdateEndpointMetadata auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - Attempting to get endpoint metadata from authority configuration auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values. auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from authorityUpdateEndpointMetadata auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setAuthorityMetadata called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from authorityResolveEndpointsAsync auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from authorityFactoryCreateDiscoveredInstance auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from standardInteractionClientGetDiscoveredAuthority auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from standardInteractionClientGetClientConfiguration auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from standardInteractionClientCreateAuthCodeClient auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function silentIframeClientTokenHelper auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function generatePkceCodes auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function generateCodeVerifier auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function getRandomValues auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from getRandomValues auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from generateCodeVerifier auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function generateCodeChallengeFromVerifier auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function sha256Digest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from sha256Digest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from generateCodeChallengeFromVerifier auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from generatePkceCodes auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function getAuthCodeUrl auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function getStandardParams auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from getStandardParams auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Verbose - Replacing tenant domain name 9026c5f4-86d0-4b9f-bd39-b7d4d0fb4674 with id {tenantid} auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from getAuthCodeUrl auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function silentHandlerInitiateAuthRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function silentHandlerLoadFrameSync msal-auth-code-flow.ts:54 An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing. createHiddenIframe @ @azure_msal-browser.js?v=0d5a449b:13465 loadFrameSync @ @azure_msal-browser.js?v=0d5a449b:13455 (anonymous) @ @azure_msal-browser.js?v=0d5a449b:3842 initiateCodeRequest @ @azure_msal-browser.js?v=0d5a449b:13374 (anonymous) @ @azure_msal-browser.js?v=0d5a449b:3871 silentTokenHelper @ @azure_msal-browser.js?v=0d5a449b:13591 await in silentTokenHelper (anonymous) @ @azure_msal-browser.js?v=0d5a449b:3871 executeCodeFlow @ @azure_msal-browser.js?v=0d5a449b:13528 await in executeCodeFlow acquireToken @ @azure_msal-browser.js?v=0d5a449b:13509 await in acquireToken ssoSilent @ @azure_msal-browser.js?v=0d5a449b:14406 ssoSilent @ @azure_msal-browser.js?v=0d5a449b:16153 handleResponse @ msal-auth-code-flow.ts:54 initializeAuth @ msal-auth-code-flow.ts:92 await in initializeAuth (anonymous) @ index.tsx:11Understand this warning auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from silentHandlerLoadFrameSync auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from silentHandlerInitiateAuthRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function silentHandlerMonitorIframeForHash auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Executing function removeHiddenIframe auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Returning result from removeHiddenIframe auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Error occurred in silentHandlerMonitorIframeForHash auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - {"errorCode":"monitor_window_timeout","errorMessage":"Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors","subError":"","name":"BrowserAuthError"} auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - Error occurred in silentIframeClientTokenHelper auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace - {"errorCode":"monitor_window_timeout","errorMessage":"Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors","subError":"","name":"BrowserAuthError"} auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getServerTelemetry: cache hit auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setServerTelemetry called msal-auth-code-flow.ts:67 BrowserAuthError: monitor_window_timeout: Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors at createBrowserAuthError (@azure_msal-browser.js?v=0d5a449b:7691:10) at @azure_msal-browser.js?v=0d5a449b:13406:14 overrideMethod @ hook.js:608 handleResponse @ msal-auth-code-flow.ts:67 await in handleResponse initializeAuth @ msal-auth-code-flow.ts:92 await in initializeAuth (anonymous) @ index.tsx:11Understand this error auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [] : @azure/[email protected] : Verbose - getAllAccounts called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:25 GMT] : [] : @azure/[email protected] : Verbose - getAllAccounts called
Network Trace (Preferrably Fiddler)
- [ ] Sent
- [ ] Pending
MSAL Configuration
{
auth: {
clientId: CLIENT_ID,
authority: `https://login.microsoftonline.com/${TENANT_ID}`,
redirectUri: location.origin,
postLogoutRedirectUri: '/',
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false,
},
};
Relevant Code Snippets
Simple reproducible version:
export const initializeAuth = async () => {
const msalInstance = new PublicClientApplication(msalConfig);
await msalInstance.initialize();
msalInstance
.handleRedirectPromise()
.then(tokenResponse => {
const resp = msalInstance.ssoSilent({
scopes: ['User.Read'],
});
})
.catch(error => {
console.error(error);
});
};
Reproduction Steps
- Either install chrome 142 or enable
chrome://flags/#local-network-access-check - Run app locally and trigger the auth flow
Expected Behavior
Prior to this chrome update, ssoLogin was able to extract the iframe href. It would not fail.
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
Chrome
Regression
No response
The work around for your browser is to go into chrome here:
chrome://flags/#local-network-access-check
And disable this setting for now. One would hope it would take you DIRECTLY there, but it doesn't. You will need to type or copy/paste "local-network-access-check" in the search to find it. Set it from default to disabled.
This may be related to using session storage as a project I know about uses this as well.
I just updated Chrome and was hit with the same issue. It definitely causes a pretty big slowdown for page loads that try to use ssoSilent(). Isn't this one of the most common methods for signing users in? It seems like it would be from the documentation. And Chrome is certainly the most heavily used browser. So... this is a significant issue, right?
Based on my research, I would personally say that yes, this is a significant issue. At best, it causes a big slowdown. At worst, some auth flows are going to fail, specially since a lot of the existing documentation/examples for msal-browser do not provide the correct error handling for the monitor_window_timeout error. I've already had to patch a handful of apps.
- I overrode
iframeHashTimeoutto 3 seconds instead of the default (which i believe is 10 seconds)
{
auth: {
clientId: CLIENT_ID,
authority: `https://login.microsoftonline.com/${TENANT_ID}`,
redirectUri: location.origin,
postLogoutRedirectUri: '/',
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false,
},
system: {
iframeHashTimeout: 3000, //see here
},
};
- I added some error handling for the
monitor_window_timeoutissue
catch (err) {
if (
err instanceof BrowserAuthError &&
err.errorCode === 'monitor_window_timeout'
) {
// fallback to non silent login
await instance?.loginRedirect(loginRequest);
}
}
Not the best long term fixes but at least it helps in the meantime. I was hoping a maintainer of this library would see this and confirm/deny my suspicions before chrome started rolling out 142.
Thanks for the report. I'm only able to reproduce this on localhost, which appears consistent with the intended target of this change. Is anybody experiencing this on a deployed, public app?
I'm seeing the same issue with internal web apps which use msal-react, since upgrading to Chrome 142.
I've also experienced this on some deployed internal web apps (intranet, not public).
Gotcha, it looks like to handle this we'll need to add an attribute to the iframe we create: allow local-network-access *. Note that this will still require the user to consent to the local network access, we won't be able to work around that part, but should hopefully provide enough of a path to unblock.
Released in 4.26.1 Please let me know if you continue to have issues with this in the new build.
The issue is sadly not resolved. In the Google chrome v142.0.7444.60 using ssoSilent, I am still getting
Unsafe attempt to initiate navigation for frame with origin 'http://localhost:5173' from frame with URL 'https://login.microsoftonline.com/0b3e20b1-66a9-4a2e-8a1e-ac184cf6926d/oauth2/v2.0/authorize?<query parameters>'. The frame attempting navigation of the top-level window is sandboxed, but the flag of 'allow-top-navigation' or 'allow-top-navigation-by-user-activation' is not set.
Probable root cause: the sandbox attribute of the iframe disallows redirecting to a different origin.
@tnorling What is the process? Should we open a new issue?
The generated iframe looks like this
<iframe
class="msalSilentIframe"
sandbox="allow-scripts allow-same-origin allow-forms"
allow="local-network-access *"
style="
visibility: hidden;
position: absolute;
height: 0px;
width: 0px;
border: 0px;
"
src="https://login.microsoftonline.com/0b3e20b1-66a9-4a2e-8a1e-ac184cf6926d/oauth2/v2.0/authorize?<query parameters>"
></iframe>
@fejbl2 That is a different issue than what is being discussed in this thread. Please open a new issue for that one. Also in the future please make sure to mask out any sensitive information before posting in a public forum, for the sake of your own security :)
Released in 4.26.1 Please let me know if you continue to have issues with this in the new build.
Hey @tnorling, I went ahead and tested this on both localhost and a deployed app. I'm still seeing the same CORS error with 4.26.1.
Although i was not prompted to "consent to the local network access" I did try allowing it manually on the website (via chrome settings) but it had no impact.
Just tested with Google Chrome 142.0.7444.60 and library version 4.26.1. Now everything seems to work for me. I get prompted for the "consent to the local network access", and if I allow, the redirect from login.microsoftonline.com to localhost passes without problems.
What I do not understand: Two days ago, the same setup caused CORS issues.
I also did a few tests with the previous library version (4.26.0). The results are even more confusing:
- Reset settings to Chrome defaults. This also deleted all cookies (logs out of microsoft).
- Try the
ssoSilentmethod. The login.microsoftonline.com/... corretly responds with302 Foundand the Location headerhttp://localhost:5173/login-landing.html#error=login_required&error_description=... - The browser blocks the request with
CORS error - LocalNetworkAccessPermissionDenied - As a result, there is a long 10 seconds timeout (iframe could not navigate, main JS keeps polling)
So far, expected. But then refresh the page and:
- Try again the
ssoSilentmethod. Same response - redirect to localhost. Expected. - The browser ALLOWS the request - what?
- The
login-landing.htmlpage loads fast - no 10s seconds waiting (iframe navigates and main JS reads the fragment part)
Just tested with Google Chrome 142.0.7444.60 and library version 4.26.1. Now everything seems to work for me. I get prompted for the "consent to the local network access", and if I allow, the redirect from login.microsoftonline.com to localhost passes without problems.
I just updated my chrome beta to the latest version (143.0.7499.17) and tested the login with 4.26.1. It works now! As you said, I was prompted to allow access and then the redirect worked. I assume Chrome fixed something on their end.
Doing the same test on 4.26.0 still fails so the patch that was deployed recently does help on my end.
Hi @tnorling, are there any recommendations on how to handle the case where the user declines the local network access permission?
In my scenario, the BrowserAuthError with monitor_window_timeout code would still be thrown. However as far as I can tell, it is not possible to trace back the reason. So I do not know whether the timeout occurred due to a real network problem or the user just having declined permissions.
In case the user declines the permission, I would like to handle it the same way I currently deal with a InteractionRequiredAuthError and perform a redirect to the login page.
- Should I on my end catch the
monitor_window_timeout, then check for permissions using something likeawait navigator.permissions.query({ name: "local-network-access" }).then((res) => res.state === "granted").catch(() => true)and then perform the redirect in case the check did not pass? - Or should I raise a feature request? Would it even be worth to implement the error handling in msal itself? I could imagine msal to either throw a variation of the
BrowserAuthErroror even throw anInteractionRequiredAuthErrordirectly.
What are your thoughts on this? Thank you in advance!
