Share via

Local Network Access iFrame Restrictions Causing Development Problems

Justin Griep 20 Reputation points
2025-12-04T18:17:40.4366667+00:00

With the release of Chrome v143 and Edge v143, Local Network Access restrictions have been implemented.

Due to this, our Teams app development has been halted as it now throws CORS errors in the dev environment.

We have narrowed the problem down to part of this specification where an iframe requires an attribute allow="local-network-access". We can't change this in the Teams app, as it creates the container iframe we are hosted in.

There are a good number of scenarios where we need local access, such as Vite JS.

I have tried to work around this with --ip-address-space-overrides command line argument to get it to treat our local dev calls as public. However, it seems the iframe protection ignores this and still causes a CORS violation.

The only workaround seems to be proxies / dev tunnels for these resources, but this can be difficult or time-consuming.

Here is a guide for reference on LNA adoptions:

https://docs.google.com/document/d/1QQkqehw8umtAgz5z0um7THx-aoU251p705FbIQjDuGs/edit?tab=t.0

Is anyone else experiencing this issue?

Has anyone come up with a workaround outside of proxies or dev tunnels?

Microsoft Teams | Development
Microsoft Teams | Development
Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs
0 comments
Answer accepted by question author
  1. Teddie-D 8,640 Reputation points Microsoft External Staff Moderator
    2025-12-05T02:25:18.8566667+00:00

    Hi @Justin Griep 

    Thank you for posting your question in the Microsoft Q&A forum. 

    The enterprise policy applies only to top-level frames. When an app runs inside an iframe, as Teams tabs do, the browser still enforces the allow="local-network-access" requirement because the embedding frame must delegate that permission. 

    Unfortunately, since Teams controls the container iframe, you cannot add this attribute yourself. Even if LocalNetworkAccessAllowedForUrls grants local network access to the origin, the iframe sandbox continues to block local requests unless the parent frame explicitly includes allow="local-network-access". 

    Currently, Teams does not include this attribute, so the restriction remains. The most reliable workaround is to use proxies or developer tunnels such as ngrok or the dev tunnels in Visual Studio Code, which move the endpoint out of the local address space. 

    The Teams engineering team is evaluating the addition of allow="local-network-access" support in integration iframes, but there is no confirmed timeline. Please keep an eye on the Chrome 142 LNA Restrictions: Integration iframes require allow="local-network-access" · I…for updates.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-04T18:17:58.7033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The implementation of Local Network Access restrictions in Chrome and Edge can indeed cause issues for applications like Teams that rely on iframes for functionality. As you mentioned, the requirement for the allow="local-network-access" attribute in iframes can lead to CORS errors if the Teams app does not permit changes to the iframe configuration.

    Currently, the recommended approach for handling local network access is to configure the LocalNetworkAccessAllowedForUrls policy in the registry for Chrome-based Microsoft Edge and Google Chrome browsers. This policy allows specific websites to access resources on local network endpoints, which is essential for enabling peer-to-peer communication in Microsoft eCDN. However, if you are unable to modify the iframe settings in the Teams app, this may not resolve your issue directly.

    While proxies or development tunnels are common workarounds, they can be cumbersome. Another potential solution could be to explore whether your development environment can simulate the necessary permissions or to check if there are updates or changes in the Teams app that might allow for better handling of local network access in iframes. Additionally, keeping an eye on updates from Microsoft regarding Local Network Access policies may provide new options in the future.

    If you are facing specific CORS errors, providing detailed error messages in developer forums or communities may also yield insights from others who have encountered similar issues.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.