Add local-network-access iframe attribute for Chrome 142+ compatibility #8128
+21
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… compatibility Co-authored-by: tnorling <5307810+tnorling@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix ssoSilent failure in Chrome version 142
Add local-network-access iframe attribute for Chrome 142+ compatibility
Nov 4, 2025
Copilot finished work on behalf of
tnorling
November 4, 2025 23:20
Collaborator
|
@copilot Please generate changefiles by running |
Contributor
Author
Changefile generated successfully. The file is located at |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds the allow="local-network-access *" attribute to silent authentication iframes to ensure compatibility with Chrome 142, which introduces new privacy controls for local network access.
- Adds
local-network-access *attribute to the hidden iframe used for silent authentication flows - Includes a test case to verify the attribute is correctly set on the iframe
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| lib/msal-browser/src/interaction_handler/SilentHandler.ts | Adds allow="local-network-access *" attribute to the hidden iframe created for silent token renewal |
| lib/msal-browser/test/interaction_handler/SilentHandler.spec.ts | Adds test to verify the allow attribute is properly set on the iframe |
| change/@azure-msal-browser-bc911259-ba35-43da-8c09-76cc3916692c.json | Beachball change file documenting the patch for Chrome 142 compatibility |
| @@ -0,0 +1,7 @@ | |||
| { | |||
| "type": "patch", | |||
| "comment": "Add allow=\"local-network-access *\" attribute to iframe for Chrome 142 compatibility", | |||
There was a problem hiding this comment.
The change file comment is missing the PR number reference. According to repository guidelines, change messages should follow the template: 'Brief description of change #XXXX'. Please update the comment to include the PR number as a link.
lalimasharda
approved these changes
Nov 5, 2025
jo-arroyo
approved these changes
Nov 5, 2025
sameerag
pushed a commit
that referenced
this pull request
Nov 7, 2025
…ty (#8128) ## ✅ Fix ssoSilent failure in Chrome 142 due to Local Network Access Restrictions ### Summary Chrome 142 enables Local Network Access Restrictions by default, blocking iframe access to authorization servers with a `LocalNetworkAccessPermissionDenied` CORS error. This causes `ssoSilent()` to timeout and fail with `BrowserAuthError: monitor_window_timeout`. **Solution**: Add `allow="local-network-access *"` attribute to the iframe element created for silent authentication. ### Changes Completed ✅ - [x] Update `createHiddenIframe()` function in `SilentHandler.ts` to add `allow` attribute with `local-network-access *` - [x] Add test to verify the `allow` attribute is set correctly - [x] Build and test the changes - all tests pass - [x] Run linter and ensure all checks pass - [x] Verify code formatting - [x] Final verification with comprehensive test suite - [x] Generate beachball changefile ### Files Modified (15 lines total) - **lib/msal-browser/src/interaction_handler/SilentHandler.ts** - Added 1 line to set allow attribute - **lib/msal-browser/test/interaction_handler/SilentHandler.spec.ts** - Added 13 lines for new test - **change/@azure-msal-browser-bc911259-ba35-43da-8c09-76cc3916692c.json** - Beachball changefile for patch release ### Testing Results ✅ - ✅ **SilentHandler.spec.ts**: All 7 tests pass (including new test for allow attribute) - ✅ **SilentIframeClient.spec.ts**: All 24 tests pass - ✅ **All interaction tests**: 310 tests passed, 1 skipped (pre-existing) - ✅ **Linter**: Passes with no new errors or warnings - ✅ **Code formatting**: Passes prettier checks - ✅ **Build**: Succeeds for both msal-common and msal-browser - ✅ **Beachball check**: Passes validation ### Technical Details #### Production Code Change (1 line) ```typescript // In createHiddenIframe() function: authFrame.setAttribute("allow", "local-network-access *"); ``` #### Test Coverage Added New test verifies that the `allow` attribute is correctly set to `"local-network-access *"` on the created iframe. #### Beachball Changefile Generated changefile for @azure/msal-browser with patch version bump. ### Impact Analysis - ✅ **Minimal change**: Only 1 line added to production code - ✅ **Non-breaking**: The attribute is permissive and doesn't restrict existing functionality - ✅ **Backward compatible**: Works with older Chrome versions without issues - ✅ **Forward compatible**: Addresses Chrome 142+ requirements - ℹ️ **User consent**: Users will still need to consent to local network access in Chrome 142+, but the authentication flow will no longer timeout ### References - [Chrome Status - Local Network Access](https://chromestatus.com/feature/5152728072060928) - [Chrome Developer Blog - Local Network Access](https://developer.chrome.com/blog/local-network-access) - [Implementation Guide](https://docs.google.com/document/d/1QQkqehw8umtAgz5z0um7THx-aoU251p705FbIQjDuGs/edit) <!-- START COPILOT CODING AGENT SUFFIX --> <details> <summary>Original prompt</summary> ---- *This section details on the original issue you should resolve* <issue_title>ssoSilent fails in upcoming version of Chrome (142)</issue_title> <issue_description>### Core Library MSAL.js (@azure/msal-browser) ### Core Library Version 4.25.0 ### Wrapper Library Not Applicable ### Wrapper Library Version N/A ### Public or Confidential Client? Confidential, Public ### Description Version 142 (latest beta version) of chrome enables Local Network Access Restrictions [[0]](https://chromestatus.com/feature/5152728072060928) [[1]](https://developer.chrome.com/blog/local-network-access). This breaks the ssoLogin function due to the following CORS error: `LocalNetworkAccessPermissionDenied`. Rather than returning account information, it causes a BrowserAuthError due to a timeout. I'm able to reproduce this on older versions of chrome by manually enabling the following flag: `chrome://flags/#local-network-access-check`. I was able to reproduce this with both msal-browser and msal-react. I've reproduced this locally and on deployed (non-localhost) websites. Note that it seems like other browsers plan to include similar features so this issue might become more widespread. ### Error Message Network error `CORS: LocalNetworkAccessPermissionDenied`. That error causes the following upstream issue: `BrowserAuthError: monitor_window_timeout: Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors`. After doing some debugging. I was able to find the following error occurring in `monitorIframeForHash` function in [SilentHandler.ts](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/src/interaction_handler/SilentHandler.ts): `Uncaught SecurityError: Failed to read a named property 'href' from 'Location': Blocked a frame with origin "http://localhost:5173" from accessing a cross-origin frame.` ### MSAL Logs [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - initialize called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Executing function initializeCache auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Info - MSAL.js was last initialized by version: 4.25.0 auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Returning result from initializeCache auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - Claims-based caching is disabled. Clearing the previous cache with claims auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Executing function clearTokensAndKeysWithClaims auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Returning result from clearTokensAndKeysWithClaims auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - handleRedirectPromise called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - BrowserCacheManager.getTemporaryCache: No cache item found in local storage auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Info - handleRedirectPromise called but there is no interaction in progress, returning null. auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - handleRedirectPromise has been called for the first time, storing the promise auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - getAllAccounts called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : @azure/msal-browser@4.25.0 : Verbose - ssoSilent called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - canUsePlatformBroker called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - canUsePlatformBroker: platform broker unavilable, returning false auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Warning - No user hint provided. The authorization server may need more information to complete this request. auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Trace - Executing function standardInteractionClientInitializeAuthorizationRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Verbose - getRedirectUri called auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Trace - Executing function initializeBaseRequest auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Verbose - Authentication Scheme wasn't explici... </details> - Fixes #8100 <!-- START COPILOT CODING AGENT TIPS --> --- ✨ Let Copilot coding agent [set things up for you](https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tnorling <5307810+tnorling@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
✅ Fix ssoSilent failure in Chrome 142 due to Local Network Access Restrictions
Summary
Chrome 142 enables Local Network Access Restrictions by default, blocking iframe access to authorization servers with a
LocalNetworkAccessPermissionDeniedCORS error. This causesssoSilent()to timeout and fail withBrowserAuthError: monitor_window_timeout.Solution: Add
allow="local-network-access *"attribute to the iframe element created for silent authentication.Changes Completed ✅
createHiddenIframe()function inSilentHandler.tsto addallowattribute withlocal-network-access *allowattribute is set correctlyFiles Modified (15 lines total)
Testing Results ✅
Technical Details
Production Code Change (1 line)
Test Coverage Added
New test verifies that the
allowattribute is correctly set to"local-network-access *"on the created iframe.Beachball Changefile
Generated changefile for @azure/msal-browser with patch version bump.
Impact Analysis
References
Original prompt
This section details on the original issue you should resolve
<issue_title>ssoSilent fails in upcoming version of Chrome (142)</issue_title>
<issue_description>### Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
4.25.0
Wrapper Library
Not Applicable
Wrapper Library Version
N/A
Public or Confidential Client?
Confidential, Public
Description
Version 142 (latest beta version) of chrome enables Local Network Access Restrictions [0] [1]. This breaks the ssoLogin function due to the following CORS error:
LocalNetworkAccessPermissionDenied. Rather than returning account information, it causes a BrowserAuthError due to a timeout.I'm able to reproduce this on older versions of chrome by manually enabling the following flag:
chrome://flags/#local-network-access-check.I was able to reproduce this with both msal-browser and msal-react. I've reproduced this locally and on deployed (non-localhost) websites.
Note that it seems like other browsers plan to include similar features so this issue might become more widespread.
Error Message
Network error
CORS: LocalNetworkAccessPermissionDenied. That error causes the following upstream issue:BrowserAuthError: monitor_window_timeout: Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors.After doing some debugging. I was able to find the following error occurring in
monitorIframeForHashfunction in SilentHandler.ts:Uncaught SecurityError: Failed to read a named property 'href' from 'Location': Blocked a frame with origin "http://localhost:5173" from accessing a cross-origin frame.MSAL Logs
[MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - initialize called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Executing function initializeCache
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Info - MSAL.js was last initialized by version: 4.25.0
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Returning result from initializeCache
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - Claims-based caching is disabled. Clearing the previous cache with claims
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Executing function clearTokensAndKeysWithClaims
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - Returning result from clearTokensAndKeysWithClaims
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - handleRedirectPromise called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - BrowserCacheManager.getTemporaryCache: No cache item found in local storage
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Info - handleRedirectPromise called but there is no interaction in progress, returning null.
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - handleRedirectPromise has been called for the first time, storing the promise
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Verbose - getAllAccounts called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : @azure/msal-browser@4.25.0 : Verbose - ssoSilent called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - canUsePlatformBroker called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/msal-browser@4.25.0 : Trace - canUsePlatformBroker: platform broker unavilable, returning false
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Warning - No user hint provided. The authorization server may need more information to complete this request.
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Trace - Executing function standardInteractionClientInitializeAuthorizationRequest
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Verbose - getRedirectUri called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Trace - Executing function initializeBaseRequest
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [0199e626-a35a-73c9-914d-9011cd563f1d] : msal.js.browser@4.25.0 : Verbose - Authentication Scheme wasn't explici...
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.