AzureAD · Copilot · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 6, 2025
diff --git a/change/@azure-msal-browser-f58c5c6e-8433-4f07-9f71-6e58bab22ab2.json b/change/@azure-msal-browser-f58c5c6e-8433-4f07-9f71-6e58bab22ab2.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add allow=\"local-network-access *\" attribute to iframe for Chrome 142 compatibility [#8132](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8132)",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-browser/docs/iframe-usage.md b/lib/msal-browser/docs/iframe-usage.md
@@ -15,6 +15,8 @@ Because Azure AD session cookies within an iframe are considered [3rd party cook
 
 Additionally, when 3rd party cookies are disabled in **Chrome**, iframed MSAL apps will not have access to local or session storage. MSAL will fallback to in-memory storage in this case.
 
+**Chrome 142+** enables [Local Network Access Restrictions](https://chromestatus.com/feature/5152728072060928) by default, which can affect `ssoSilent()` when the iframe needs to access authorization servers on local networks (e.g., corporate networks). MSAL includes the `allow="local-network-access *"` iframe attribute to address this restriction. Users may still need to consent to local network access in their browser, but the authentication flow will no longer timeout with `BrowserAuthError: monitor_window_timeout`.
+
 ## Single sign-on
 
 You **can** achieve [single sign-on](https://docs.microsoft.com/azure/active-directory/develop/msal-js-sso) between iframed and parent apps with the [same-origin](https://developer.mozilla.org/docs/Web/Security/Same-origin_policy) **and** with [cross-origin](https://developer.mozilla.org/docs/Web/Security/Same-origin_policy#cross-origin_script_api_access) **if** you pass an [account hint](./login-user.md#silent-login-with-ssosilent) from the parent app to the iframed app.

@@ -200,6 +200,7 @@ function createHiddenIframe(): HTMLIFrameElement {
         "sandbox",
         "allow-scripts allow-same-origin allow-forms"
     );
+    authFrame.setAttribute("allow", "local-network-access *");
     document.body.appendChild(authFrame);
 
     return authFrame;

@@ -61,6 +61,18 @@ describe("SilentHandler.ts Unit Tests", () => {
             );
             expect(authFrame instanceof HTMLIFrameElement).toBe(true);
         });
+
+        it("Sets the allow attribute for local network access on iframe", async () => {
+            const authFrame = await SilentHandler.initiateCodeRequest(
+                testNavUrl,
+                performanceClient,
+                browserRequestLogger,
+                RANDOM_TEST_GUID
+            );
+            expect(authFrame.getAttribute("allow")).toBe(
+                "local-network-access *"
+            );
+        });
     });
 
     describe("monitorIframeForHash", () => {