Add local-network-access iframe attribute for Chrome 142+ compatibility (#8128)

## ✅ Fix ssoSilent failure in Chrome 142 due to Local Network Access
Restrictions

### Summary
Chrome 142 enables Local Network Access Restrictions by default,
blocking iframe access to authorization servers with a
`LocalNetworkAccessPermissionDenied` CORS error. This causes
`ssoSilent()` to timeout and fail with `BrowserAuthError:
monitor_window_timeout`.

**Solution**: Add `allow="local-network-access *"` attribute to the
iframe element created for silent authentication.

### Changes Completed ✅
- [x] Update `createHiddenIframe()` function in `SilentHandler.ts` to
add `allow` attribute with `local-network-access *`
- [x] Add test to verify the `allow` attribute is set correctly
- [x] Build and test the changes - all tests pass
- [x] Run linter and ensure all checks pass
- [x] Verify code formatting
- [x] Final verification with comprehensive test suite
- [x] Generate beachball changefile

### Files Modified (15 lines total)
- **lib/msal-browser/src/interaction_handler/SilentHandler.ts** - Added
1 line to set allow attribute
- **lib/msal-browser/test/interaction_handler/SilentHandler.spec.ts** -
Added 13 lines for new test
-
**change/@azure-msal-browser-bc911259-ba35-43da-8c09-76cc3916692c.json**
- Beachball changefile for patch release

### Testing Results ✅
- ✅ **SilentHandler.spec.ts**: All 7 tests pass (including new test for
allow attribute)
- ✅ **SilentIframeClient.spec.ts**: All 24 tests pass
- ✅ **All interaction tests**: 310 tests passed, 1 skipped
(pre-existing)
- ✅ **Linter**: Passes with no new errors or warnings
- ✅ **Code formatting**: Passes prettier checks
- ✅ **Build**: Succeeds for both msal-common and msal-browser
- ✅ **Beachball check**: Passes validation

### Technical Details

#### Production Code Change (1 line)
```typescript
// In createHiddenIframe() function:
authFrame.setAttribute("allow", "local-network-access *");
```

#### Test Coverage Added
New test verifies that the `allow` attribute is correctly set to
`"local-network-access *"` on the created iframe.

#### Beachball Changefile
Generated changefile for @azure/msal-browser with patch version bump.

### Impact Analysis
- ✅ **Minimal change**: Only 1 line added to production code
- ✅ **Non-breaking**: The attribute is permissive and doesn't restrict
existing functionality
- ✅ **Backward compatible**: Works with older Chrome versions without
issues
- ✅ **Forward compatible**: Addresses Chrome 142+ requirements
- ℹ️ **User consent**: Users will still need to consent to local network
access in Chrome 142+, but the authentication flow will no longer
timeout

### References
- [Chrome Status - Local Network
Access](https://chromestatus.com/feature/5152728072060928)
- [Chrome Developer Blog - Local Network
Access](https://developer.chrome.com/blog/local-network-access)
- [Implementation
Guide](https://docs.google.com/document/d/1QQkqehw8umtAgz5z0um7THx-aoU251p705FbIQjDuGs/edit)

<!-- START COPILOT CODING AGENT SUFFIX -->



<details>

<summary>Original prompt</summary>


----

*This section details on the original issue you should resolve*

<issue_title>ssoSilent fails in upcoming version of Chrome
(142)</issue_title>
<issue_description>### Core Library

MSAL.js (@azure/msal-browser)

### Core Library Version

4.25.0

### Wrapper Library

Not Applicable

### Wrapper Library Version

N/A

### Public or Confidential Client?

Confidential, Public

### Description

Version 142 (latest beta version) of chrome enables Local Network Access
Restrictions [[0]](https://chromestatus.com/feature/5152728072060928)
[[1]](https://developer.chrome.com/blog/local-network-access). This
breaks the ssoLogin function due to the following CORS error:
`LocalNetworkAccessPermissionDenied`. Rather than returning account
information, it causes a BrowserAuthError due to a timeout.

I'm able to reproduce this on older versions of chrome by manually
enabling the following flag:
`chrome://flags/#local-network-access-check`.

I was able to reproduce this with both msal-browser and msal-react. I've
reproduced this locally and on deployed (non-localhost) websites.

Note that it seems like other browsers plan to include similar features
so this issue might become more widespread.

### Error Message

Network error `CORS: LocalNetworkAccessPermissionDenied`. That error
causes the following upstream issue:
`BrowserAuthError: monitor_window_timeout: Token acquisition in iframe
failed due to timeout. For more visit: aka.ms/msaljs/browser-errors`.

After doing some debugging. I was able to find the following error
occurring in `monitorIframeForHash` function in
[SilentHandler.ts](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/src/interaction_handler/SilentHandler.ts):
`Uncaught SecurityError: Failed to read a named property 'href' from
'Location': Blocked a frame with origin "http://localhost:5173" from
accessing a cross-origin frame.`

### MSAL Logs

[MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] : @azure/[email protected]
: Trace - initialize called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Trace - Executing function initializeCache
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Info - MSAL.js was last initialized by
version: 4.25.0
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Trace - Returning result from
initializeCache
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Verbose - Claims-based caching is disabled.
Clearing the previous cache with claims
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Trace - Executing function
clearTokensAndKeysWithClaims
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Trace - Returning result from
clearTokensAndKeysWithClaims
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Verbose - handleRedirectPromise called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Trace -
BrowserCacheManager.getTemporaryCache: No cache item found in local
storage
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Info - handleRedirectPromise called but
there is no interaction in progress, returning null.
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Verbose - handleRedirectPromise has been
called for the first time, storing the promise
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Verbose - getAllAccounts called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] :
[0199e626-a35a-73c9-914d-9011cd563f1d] : @azure/[email protected] :
Verbose - ssoSilent called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Trace - canUsePlatformBroker called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] : [] :
@azure/[email protected] : Trace - canUsePlatformBroker: platform
broker unavilable, returning false
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] :
[0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] :
Warning - No user hint provided. The authorization server may need more
information to complete this request.
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] :
[0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace
- Executing function
standardInteractionClientInitializeAuthorizationRequest
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] :
[0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] :
Verbose - getRedirectUri called
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] :
[0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] : Trace
- Executing function initializeBaseRequest
auth.ts:25 [MSAL] [Wed, 15 Oct 2025 04:35:15 GMT] :
[0199e626-a35a-73c9-914d-9011cd563f1d] : [email protected] :
Verbose - Authentication Scheme wasn't explici...

</details>

- Fixes #8100

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: tnorling <[email protected]>

Author: Copilot

change/@azure-msal-browser-bc911259-ba35-43da-8c09-76cc3916692c.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add allow=\"local-network-access *\" attribute to iframe for Chrome 142 compatibility",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/src/interaction_handler/SilentHandler.ts

@@ -256,6 +256,7 @@ function createHiddenIframe(): HTMLIFrameElement {
         "sandbox",
         "allow-scripts allow-same-origin allow-forms"
     );
+    authFrame.setAttribute("allow", "local-network-access *");
     document.body.appendChild(authFrame);
 
     return authFrame;

lib/msal-browser/test/interaction_handler/SilentHandler.spec.ts

@@ -98,6 +98,19 @@ describe("SilentHandler.ts Unit Tests", () => {
             expect(endTime - startTime).toBeLessThan(DEFAULT_IFRAME_TIMEOUT_MS);
             expect(authFrame instanceof HTMLIFrameElement).toBe(true);
         });
+
+        it("Sets the allow attribute for local network access on iframe", async () => {
+            const authFrame = await SilentHandler.initiateCodeRequest(
+                testNavUrl,
+                performanceClient,
+                browserRequestLogger,
+                RANDOM_TEST_GUID,
+                0
+            );
+            expect(authFrame.getAttribute("allow")).toBe(
+                "local-network-access *"
+            );
+        });
     });
 
     describe("monitorIframeForHash", () => {