1. Web
  2. Web APIs
  3. Request
  4. targetAddressSpace
View on MDN

Request: targetAddressSpace property

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Note: This feature is available in Web Workers.

The read-only targetAddressSpace property of the Request interface returns the request's target address space, which indicates whether it is intended to be a loopback, local, or public request.

Value

An enumerated value, which can be one of:

local

The request is to a local address, which is only accessible on the local network; its target will differ on different networks. For example, 192.168.0.1.

loopback

The request is to a loopback address, which is only accessible on the local device; its target will differ on every device. For example, 127.0.0.1, which is generally known as localhost.

public

The request is to an address available from anywhere on the internet; its target is the same for all devices globally. For example, 104.18.27.120 (the IP address of example.com)

unknown

No targetAddressSpace was set on the request.

Description

In browsers that support Local Network Access, loopback and local requests are gated behind specific permissions — local-network and loopback-network, respectively. Requiring user permissions for such requests mitigates the risk of cross-site request forgery (CSRF) attacks against local network devices such as routers and printers, and reduces the ability of sites to use these requests to fingerprint the user's local network.

This permission is restricted to secure contexts. If granted, the permissions additionally relax mixed content blocking for local network requests. This is useful because many local devices are not able to obtain publicly trusted TLS certificates for various reasons. For example, it allows public websites to access local testing servers or devices running on HTTP.

The targetAddressSpace property, when set to local or loopback on new requests (via the Request() constructor or directly in the fetch() method), explicitly tells supporting browsers to skip mixed content checks. This is needed in cases where a URL is a public domain address, but ends up resolving to a local network address, such as http://internal.example.com.

Some addresses such as private IP literals (for example, 192.168.0.1) and local addresses (such as http://router.local) are exempt from mixed content checks, so don't need the targetAddressSpace property to be set.

Examples

Basic usage

js
const req = new Request("http://localhost:8888", {
  method: "get",
  mode: "cors",
  targetAddressSpace: "loopback",
});

console.log(req.targetAddressSpace);
// loopback

fetch(req);

Specifications

Specification
Local Network Access
# dom-request-targetaddressspace

Browser compatibility

See also

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content