LAN / localhost
Working with local addresses safely (opt-in + allow-list).
Docs updated: 2026-03-24
Why LAN/localhost can be sensitive
Local addresses (like localhost, 127.0.0.1, or 192.168.x.x)
may expose admin dashboards or private services.
Only allow-list them if you trust the page that is sending RTO commands.
Allow-list LAN hosts
The allow-list is host-based. In practice, you should allow-list the hostname
(example: localhost) rather than coupling rules to dev ports.
Your page can run on localhost:3000 and still allow-list localhost.
In 7.13.0, the recommended page-side path is still a request: the page asks, then the confirmation appears on the master tab before the host is added.
<!-- Core API (required) -->
<script src="../RTO_helpers/RTO_form_api.js"></script>
<script src="../RTO_helpers/RTO_domainList.js"></script>
<script>
(async function(){
// location.hostname excludes port (recommended)
const host = location.hostname; // example: "localhost"
const ok = await RTOAllowlist.add(host, 130000);
console.log("allowed?", ok, host);
})();
</script>
Tip
If you really need to target a specific dev port, that must be supported explicitly by your extension’s allow-list rules.
Otherwise, stick to
location.hostname (recommended).
Practical tips
- Keep your local allow-list small.
- Use a small detect + allow-list status banner while developing (see the Status UI pattern page).
- Never auto-allow silently. Always require a user click.