loke.dev
Header image for Localhost Is a Foreign Country

Localhost Is a Foreign Country

Why the Private Network Access (PNA) specification is quietly breaking your internal network fetches—and how to navigate the new preflight requirements for local devices.

· 4 min read

Ever wonder why your perfectly valid React app suddenly can't talk to the smart printer sitting three feet away on your desk, even though they’re on the same Wi-Fi?

It used to be that the browser treated the internet like a flat map. If your code was running on https://cool-app.com, it could theoretically fire off a fetch() to http://192.168.1.50 (your printer) or http://localhost:8080 (your dev server) without the browser blinking an eye.

But things changed. The W3C decided that if your browser is reaching from a "public" context into a "private" or "local" one, it’s crossing a border. And like any international crossing, you now need a passport and a specific set of permissions. This is the Private Network Access (PNA) specification.

The "Sofa-to-Server" Problem

The security risk here is actually pretty terrifying. Imagine you visit a malicious website. That site runs a script in the background that starts port-scanning your local network. It finds your router’s admin page at 192.168.1.1. Since your browser likely has a saved session cookie for that router, the malicious site could theoretically change your DNS settings or open a DMZ just by sending a hidden POST request from your own machine.

To fix this, browsers now categorize IP addresses into three distinct spaces:
1. Local: 127.0.0.1 or ::1 (Your machine).
2. Private: 192.168.x.x, 10.x.x.x, etc. (Your home/office network).
3. Public: Everything else (The actual internet).

If a "Public" site tries to talk to a "Private" or "Local" address, the browser treats it as a cross-origin request on steroids.

The New Preflight: It’s Not Just CORS

We all know the standard CORS preflight (the OPTIONS request). PNA adds a new twist to this dance. When your public-facing site tries to fetch something from your local network, the browser sends an OPTIONS request with a special header:

GET /api/data HTTP/1.1
Host: 192.168.1.50
Access-Control-Request-Private-Network: true
Origin: https://your-public-app.com

If your local device (the server) doesn't explicitly say "Yes, I allow public websites to talk to me," the browser kills the connection immediately. Your server must respond with the header Access-Control-Allow-Private-Network: true.

How to Fix Your Broken Fetch

If you’re building an internal tool or a local dev environment that needs to talk to local hardware, you have to update your server-side logic. Here’s how you’d handle this in a standard Node.js/Express setup.

const express = require('express');
const app = express();

app.use((req, res, next) => {
  // 1. Set the standard CORS headers
  res.header('Access-Control-Allow-Origin', 'https://your-public-app.com');
  res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
  
  // 2. The PNA specific magic
  if (req.headers['access-control-request-private-network']) {
    res.header('Access-Control-Allow-Private-Network', 'true');
  }

  // 3. Handle the preflight OPTIONS request
  if (req.method === 'OPTIONS') {
    return res.sendStatus(204);
  }

  next();
});

app.get('/api/status', (req, res) => {
  res.json({ status: 'Connected to local device!' });
});

app.listen(8080);

Notice that we aren't just checking for OPTIONS. We are specifically looking for that Access-Control-Request-Private-Network header. If it's there, and we don't send back the matching Allow header, the browser will throw a console error that looks something like:
The request client is not a secure context and the resource is in more-private address space.

The "Secure Context" Gotcha

Here is where it gets really annoying: PNA is increasingly requiring a Secure Context.

In plain English, this means if your public website is running on http:// (not secure), the browser will likely block any attempt to talk to your private network entirely, regardless of headers. Chrome, in particular, has been tightening the screws here.

If you're testing locally (where both sides are localhost), you're usually fine. But once your app goes live on a public URL, it must be https:// to reach into the user's home network.

Testing with Chrome Flags

Sometimes you just need to get work done and don't want to fight the spec during a 2:00 PM debugging session. If you need to temporarily bypass these checks in Chrome for testing purposes, you can toggle this flag:

1. Open chrome://flags
2. Search for "Block insecure private network requests"
3. Set it to Disabled (but remember to turn it back on so you don't leave your own router vulnerable!).

Why You Should Care

It’s easy to look at this as just another hurdle the Chrome team is throwing at us. But it's actually a massive win for the "Internet of Things." Most IoT devices (printers, smart lights, local storage) have notoriously bad security. They often have no password or a default "admin/admin" combo.

By treating the local network as a "Foreign Country," the browser is acting as a border agent, ensuring that a random website you visited can’t secretly start printing 500 pages of gibberish or reconfiguring your backup drive.

If your internal fetches are failing, don't just reach for a CORS proxy. Check your headers, ensure you're in a secure context, and explicitly welcome the incoming traffic from the outside world. It’s a bit more work, but it keeps the "sofa-to-server" attacks at bay.