When users open this page in Google Chrome 142+, the browser displays a permission prompt:
“Chrome needs your permission to look for and connect to devices on your local network.”
(or depending on language: “Look for and connect to devices on your local network”)
This prompt appears immediately, before the user interacts with the form.
What we found so far
The form is loaded via the standard Zammad web form script (form.js).
Chrome 142 introduces a new Local Network Access (LNA) permission system, which shows this prompt whenever a webpage attempts to access any local network resources (localhost, LAN IPs, loopback connections, etc.).
It looks like the prompt is triggered because the <script> tag that loads the form was originally referencing a localhost source during our integration phase.
Chrome interprets this as the page trying to contact a local network service, and therefore displays the LNA permission dialog.
Current situation
The form itself works correctly after deployment.
However, some users still see the Chrome local-network prompt depending on caching and how the script is embedded.
We want to confirm whether Zammad’s form loader performs any operations that may unintentionally cause Chrome to treat it as a local-network access attempt (e.g. automatic POST to form_config endpoint on script load).
We would appreciate guidance on whether:
the current behavior is expected,
any changes are recommended for form.js,
or if there are best practices for embedding Zammad forms in Chrome 142+ environments to avoid this prompt.
Environment
Zammad version: Wersja Zammada 6.5.2-1765903927.5697ef96.bookworm
Form is loaded using the standard Zammad web form script
Question
Is there an officially recommended way to embed the Zammad form so that Chrome 142+ does not display the Local Network Access prompt?
Are there any upcoming changes or patches to form.js related to Chrome’s LNA policy?
If I would had to bet, the form fails to correctly detect the Zammad URL for whatever reason. This can happen, especially with big pages like wordpress stuff.
THe form JS generally does not use local LAN stuff, the fallback to localhost indirectly triggers this request though. Zammad expects jquery 3.6.0 - wordpress pages usually have dozens of duplicate and differing implementations…
Additionally you’re lazy loading the form which might also be a problem.
Adjusting your applet like shown below, that might help.
<script id="zammad_form_script" data-rocket-src="https://wsparcie.ekspert.biz/assets/form/form.js"></script>
<script>
$(function() {
$('#feedback-form').ZammadForm({
messageTitle: 'Zgłoszenie serwisowe',
messageSubmit: 'Wyślij',
messageThankYou: 'Dziękujemy za zapytanie (#%s)! Skontaktujemy się z Tobą jak najszybciej.',
showTitle: true,
modal: true,
attachmentSupport: true
});
});
</script>
Thanks for the reply @MrGeneration
I’m adding details about my issue.
On the company website Kontakt - Ekspert Systemy Informatyczne, there’s a button directing to the Zammad ticket form. The form uses the Zammad script located at: https://wsparcie.ekspert.biz/assets/form/form.js
The problem, is that this script contains a line (number 10):
< script id=“zammad_form_script” src=“http://localhost:3000/assets/form/form.js”>
As a result, Google Chrome triggers a warning for the user, as it has implemented a new security mechanism that blocks access to resources from the local network. Details are described here: New permission prompt for Local Network Access | Blog | Chrome for Developers
We verified that this script is used in multiple places within Zammad itself, so we didn’t want to modify it without understanding the system implications.
This may not be a critical issue, but the message appears on the user side, so we are reporting it now - especially since we are about to update to a new version and maybe this issue can be fixed along the way.
I should point out that the problem currently affects Chrome. For now
Best regards, Michał
Yeah sorry, I cannot reproduce your problem. I also cannot find anything with localhost in your source code on the linked page. I’ve cycled through it. I also can create tickets via your form in my Google Chrome v143 without any trouble.
If inside and outside of your company network is a thing, you might wanna try externally.
It’s strange that you don’t see a notification in Chrome. The request has been added. I close the ticket However, the website’s web developer claims that the problem is caused by an entry in the form script from the Zammad server. So, is there anything I can do about it?
Problematic line 10 in the source code zammad/public/assets/form/form.js at develop · zammad/zammad · GitHub
If you take a look at lines 3 to 61 as a whole, you will see that the mentioned code block and part is in between /* xx */, which is the javascript way for commentary sections.
So this block only tells you what below code is doing. It is not executed in any way.
I neither can speak nor read / understand your native language. So I did what every insane user would do - I pressed all buttons on that contact page to see what happens. I did successfully use the Zgłoszenie serwisowe button. I also do not see any localhost request or console outputs that would suggest this happening in the developer console.
Maybe another side note regarding the form implementation in your page.
I said in my first response, that the lazy loading might cause issues. It doesn’t seem to do that, however, it significantly delays the function of the button and my being able to open the form. I can press 3-5 times easilly within a timespan of several seconds.
Hi, thanks for your help.
I’ve explained the situation.
The message only occurs within the company’s local network or VPN.
In this case, the internal DNS points to the local address of the Zammad server, and the browser treats it as a jump from the external website address to the local address.
Sorry for the confusion. You can close this thread.
However, the website’s web developer claims that the problem is caused by an entry in the form script from the Zammad server. So, is there anything I can do about it?