What to know about new permission prompt in Google Chrome 142 and newer with ArcGIS Enterprise and ArcGIS Online

Description

The Chrome142 release features a new permission prompt for sites that make connections to a user's local network as part of the Local Network Access specification. The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks, and to reduce the ability of sites to use these requests to fingerprint the user's local network.

Impacts

Customers that make Cross-Origin Resource Sharing (CORS) requests to internal servers will be impacted by these new requirements. This can be seen using public iFrames

iFrame Applications in ArcGIS Enterprise

• Apps like ArcGIS Enterprise Sites rely on iFrames to embed other ArcGIS Apps within the site.

Third-Party iFrame Integrations

• Adding ArcGIS Enterprise features that reference internal content like web maps directly to other sites through iFrames.

Applications in ArcGIS Online

• Apps like Experience Builder, used in ArcGIS Online that consume referenced services, like printing or geocoding services, from ArcGIS Server or ArcGIS Enterprise.

Solution or Workaround

To maintain functionality, please follow the LNA Adoption Guide published by Google.

 Adding the local-network-access string to the iFrame configuration. This will ensure that the expected CORS request is sent out to the Enterprise portal for verification.

Sample:

<iframe src="domainB.example" allow="local-network-access ‘DOMAIN’"></iframe>

If there are any issues after this setting is applied, please contact Esri Technical Support.