aspnetcore icon indicating copy to clipboard operation
aspnetcore copied to clipboard
verified publisher icon dotnet

Blazor WASM: Silent Logins fail since Chrome 142 on applications hosted in local networks

Open sprehn-ero opened this issue 2 weeks ago • 4 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Describe the bug

When running Blazor Apps on private network (192.168.., 172.16.., 10...*) the OIDC callback during silent authentication is getting blocked with Status: Cross Origin Resource Sharing error: LocalNetworkAccessPermissionDenied

This problem occurs in Chrome 142 and newer due to the newly enabled Feature Feature: Local network access restrictions

Policy LocalNetworkAccessAllowedForUrls does not fix the problem.

The guide states: "The LocalNetworkAccessAllowedForUrls policy applies to the top-level origin of the site making the request. If the actual local network access is being made inside of an iframe embedded on that page (or in a nested iframe), all iframes must set the permissions policy flag."

Expected Behavior

Proposed Solution: Add ability to configure RemoteAuthenticatorView to set the required permission on the iframe, e.g. allow="local-network-access domainB.example domainC.example"

Steps To Reproduce

  • use OIDC Authentication
  • run app IP considered private 192.168.., 172.16.., 10...*
  • authenticate
  • close and reopen the browser
  • monitor the network in developer console (callback gets blocked and user is not authenticated)

Exceptions (if any)

No response

.NET Version

9.0.11

Anything else?

No response

sprehn-ero avatar Dec 08 '25 15:12 sprehn-ero

I included this js snippet in index.html as a workarround. This achieves the proposed solution, however ....

The browser prompts for user consent to "Look for and connect to any device on your local network" - this permission is way wider than required and not an option in our case.

   function addIframeAllowAttributes() {
       const iframes = document.querySelectorAll("iframe");

       iframes.forEach(frame => {
           frame.setAttribute("allow", "local-network-access *"); 
       });
   }

   // run on page load
   document.addEventListener("DOMContentLoaded", addIframeAllowAttributes);

   // also run when Blazor replaces DOM (important!)
   document.addEventListener("DOMContentLoaded", () => {
       new MutationObserver(addIframeAllowAttributes).observe(document.body, { childList: true, subtree: true });
   });

sprehn-ero avatar Dec 09 '25 13:12 sprehn-ero

Same issue discussed here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/8100

sprehn-ero avatar Dec 10 '25 12:12 sprehn-ero

It looks like this will be addressed as part of https://github.com/dotnet/aspnetcore/issues/63688, as msal.js has already released a fix for this.

MackinnonBuck avatar Dec 10 '25 18:12 MackinnonBuck

As a temporary fix we enabeld opt out via group policy for Chrome and Edge

LocalNetworkAccessRestrictionsTemporaryOptOut
(This enterprise policy is temporary, and will be removed after M146.)

sprehn-ero avatar Dec 11 '25 07:12 sprehn-ero