[@webcontainer/api] Add allow="local-network-access" attribute to WebContainer iframes for Chrome's Local Network Access (LNA) compliance #2007
Description
Is your feature request related to a problem? Please describe:
Chrome has introduced Local Network Access (LNA) restrictions as part of the Private Network Access specification to enhance security when web applications access private/local network resources. Starting from Chrome 142 (rolling out by default), this feature requires explicit permission through the allow="local-network-access" attribute on iframes that need to make requests to private IP addresses (e.g., 10.x.x.x, 192.168.x.x, 127.0.0.1, etc.).
When using @webcontainer/api in our application, we've encountered the following problems:
1. Fetch request failures
Any fetch requests to private network resources from within the WebContainer environment fail due to LNA restrictions.
2. Missing LNA attribute on iframes
The iframes created by WebContainer (both the main iframe and any nested iframes) do not include the allow="local-network-access" attribute, causing local network requests to be blocked by Chrome's LNA policy.
3. Nested iframe permission delegation issue
According to the LNA Adoption Guide, when making local network requests from inside nested iframes, all iframes in the hierarchy must specify the local-network-access permissions policy flag.
In WebContainer's architecture:
- The outer iframe (e.g.,
stackblitz.com/headless) embeds an inner iframe - The inner iframe may have a different origin
- Both iframes need the LNA permission for requests to work properly
Describe the solution you'd like:
Could the WebContainer team please consider adding native support for the allow="local-network-access" attribute? This would greatly improve compatibility with Chrome's security policies and enable seamless access to private network resources.
Thank you for your consideration!
Describe alternatives you've considered:
Additional context:
Reference: