I've recently been exploring options for allowing web apps to access LAN services. For example, a WebDAV server so you can watch local videos in the app without streaming them through a server.
You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to `http://service.local`, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains.
Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console.
It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad.
> Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday.
> The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).
> Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.
Not at all to defend Meta but "a feature that allows software developers to test applications" is a dubious definition of localhost. I also can't come up with a better one.
> UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.
I've seen it and at least in Chrome it seems to be treating all URLs which are based on an IP address as "local", regardless of the class of the address.
I'd be inherently suspicious of any website in the wild attempting to contact a bare IP address. Aside from localhost, my default assumption would be that such a website is either trying to circumvent my hosts file (or circumvent my other DNS configuration, e.g. pi-hole or DNS-over-HTTPS), malware trying to reach a command-and-control server, or malware trying to circumvent my adblocker.
i would love to have a software engineer's union, not so much to get better working conditions but to be able to say stuff like "i can't implement that unethical feature, it's against union rules and i'd lose my membership".
To be fair; you don't need a union... you can just say no. Context; I told them they couldn't ship this exact feature as designed. (It worked until I left.)
yes, true sometimes (not always). but if more people have access to a way to confidently say "no" (with protection behind them), then i think saying "no" would happen more often, by people who might've otherwise complied.
are there examples of unions that have started around a focus on the ethics of the services they provide? unions traditionally start locally, around issues for which the locality is a hotspot, which is why they usually focus on pay and working conditions. it's also easier to get a large group to agree on a set of improvements to working conditions vs a set of ethical boundaries.
i don't believe that software development should require a license. imagine having to get board-licensed to download gcc; therein lies the death of free software and owning your devices.
I've recently been exploring options for allowing web apps to access LAN services. For example, a WebDAV server so you can watch local videos in the app without streaming them through a server.
You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to `http://service.local`, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains.
Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console.
It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad.
[0]: https://developer.chrome.com/blog/local-network-access
> Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday.
> The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).
> Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.
May 12, 2026
Not at all to defend Meta but "a feature that allows software developers to test applications" is a dubious definition of localhost. I also can't come up with a better one.
“A network interface which allows processes on the same internet host to communicate without the need for a network connection”
1 reply →
docket: https://www.courtlistener.com/docket/70448987/in-re-meta-and...
im failing to see the connection
>standard pixel tracking, linked to meta (js , web)
>Meta exploited Android's localhost (os level)
Looks like they stopped doing it
https://localmess.github.io
> UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.
Chrome and Firefox have deployed / are deploying local-network-access which prompts the user when apps try this.
Any idea if Safari is on board?
I guess that's why I am getting so many "Allow to find devices on your network" alerts. Good feature overall.
Only a good feature if users have a clue what that question means. Most will click "Yes" because they want to get on with whatever they want to do.
Change it to something like "This website is trying to spy on your local devices, do you want to allow this?"
1 reply →
Ah, THAT's what that is. They really need to shift the message from the BROWSER is trying to find devices to the WEBSITE is trying to find devices.
I just discovered that MacOS was blocking Firefox from connecting to devices on my LAN - there's per-app toggle in system settings.
Access to my router's web interface was not blocked (understandably) but this left me rather confused for a while.
I was just about to say that my question in regards to this was "what are web browsers doing about it?"
I've seen it and at least in Chrome it seems to be treating all URLs which are based on an IP address as "local", regardless of the class of the address.
I'd be inherently suspicious of any website in the wild attempting to contact a bare IP address. Aside from localhost, my default assumption would be that such a website is either trying to circumvent my hosts file (or circumvent my other DNS configuration, e.g. pi-hole or DNS-over-HTTPS), malware trying to reach a command-and-control server, or malware trying to circumvent my adblocker.
Off topic: I wonder how hard it is to poison this type of data gathering?
A timely question. Hopefully someone will share the recent Order and Third Amended Complaint
Since that discussion in 2025
Rose v Meta was consolidated with some other privacy cases against Meta
A first amended complaint was filed,^1 Google was added as a defendant
Defendants motion to dismiss was denied
A third amended complaint was filed on Monday
Here are the PDFs
1.
1st amended complaint
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Meta motion to dismiss
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Google motion to dismiss
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Plaintiffs response
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Meta reply
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Google reply
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Order
(Payment required)
https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...
2nd amended complaint
(Payment required)
https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...
i would love to have a software engineer's union, not so much to get better working conditions but to be able to say stuff like "i can't implement that unethical feature, it's against union rules and i'd lose my membership".
To be fair; you don't need a union... you can just say no. Context; I told them they couldn't ship this exact feature as designed. (It worked until I left.)
yes, true sometimes (not always). but if more people have access to a way to confidently say "no" (with protection behind them), then i think saying "no" would happen more often, by people who might've otherwise complied.
Without the protection of a union, "just saying no" is a good way to get fired
Start one. Unions are worker owned. You could also join the IWW.
are there examples of unions that have started around a focus on the ethics of the services they provide? unions traditionally start locally, around issues for which the locality is a hotspot, which is why they usually focus on pay and working conditions. it's also easier to get a large group to agree on a set of improvements to working conditions vs a set of ethical boundaries.
Unions in the US are nerfed, by law.
2 replies →
I'd wonder how you'd get into that arrangement to begin with when the entire job is based on unethical tracking
Take a lead, let me sign up :)
And this is why we don't have one. Someone else is expected to do the hard part.
same
You don't need to join a union to push back against unethical feature requests.
The collective leverage of a union gives you significantly more power to do something like this.
1 reply →
> You don't need to join a union to push back against unethical feature requests.
If you push back against unethical feature requests:
No union: you get fired
Union: you still get fired
18 replies →
That’s what licensing is for, not unions.
i don't believe that software development should require a license. imagine having to get board-licensed to download gcc; therein lies the death of free software and owning your devices.
1 reply →
A union could absolutely get involved in something like this.
> not so much to get better working conditions but
... why not both?
[dead]