While this will help to block many websites that have no business making local connections at all, it's still very coarse-grained.
Most websites that need this permission only need to access one local server. Granting them access to everything violates the principle of least privilege. Most users don't know what's running on localhost or on their local network, so they won't understand the risk.
> Most users don't know what's running on localhost or on their local network, so they won't understand the risk.
Yes, which is why they also won't understand when the browser asks if you'd like to allow the site to visit http://localhost:3146 vs http://localhost:8089. A sensible permission message ("allow this site to access resources on your local network") is better than technical mumbo jumbo which will make them just click "yes" in confusion.
Either way they'll click "yes" as long as the attacker site properly primes them for it.
For instance, on the phishing site they clicked on from an email, they'll first be prompted like:
"Chase need to verify your Local Network identity to keep your account details safe. Please ensure that you click "Yes" on the following screen to confirm your identity and access account."
Yes, that's meaningless gibberish but most people would say:
• "Not sure what that means..."
• "I DO want to access my account, though."
This is true, but you can only protect people from themselves so far. At some point you gotta let them do what they want to do. I don't want to live in a world where Google decides what we are and aren't allowed to do.
In an ideal world, the browser could act as an mDNS client, discovering local services, so that it could then show the pretty name of the relevant service in the security prompt.
In the world we live in, of course, almost nothing on your average LAN has an associated mDNS service advertisement.
They don’t? Every time I install an OS I turn that stuff off, because I don’t fully understand it. Or is avahi et al another thing?
While that message has less jargon, most users still won't understand what "resources on your local network" means. They'll blindly accept it.
On a phone at least, it should be "do you want to allow website A to connect to app B."
(It's harder to do for the rest of the local network, though.)
A comprehensive implementation would be a firewall. Which CIDRs, which ports, etc.
I wish there were an API to build such a firewall, e.g. as a part of a browser extension, but also a simple default UI allowing to give access to a particular machine (e.g. router), to the LAN, to a VPN, based on the routing table, or to "private networks" in general, in the sense Windows ascribes to that. Also access to localhost separately. The site could ask one of these categories explicitly.
> I wish there were an API to build such a firewall, e.g. as a part of a browser extension,
There was in Manifest V2, and it still exists in Firefox.
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
That's the API Chrome removed with Manifest V3. You can still log all web requests, but you can't block them dynamically anymore.