Understanding Chrome 94 Private Network Access Restrictions and CORS Errors

Many developers encounter a sudden CORS error after September 21, 2021, where an XMLHttpRequest to a private‑network address is blocked with a message indicating that the request client is not a secure context and the resource resides in a more‑private address space.

The error typically appears when a publicly accessible web page (e.g., http://out.com ) makes an AJAX request to an internal service (e.g., http://in.com/api/auditors ) using plain HTTP. The request is reproduced with the following JavaScript snippet:

$.ajax({url:"http://in.com/api/auditors", method:"GET", success:function(ret) {}})

Chrome 94 introduced a policy that forbids public, non‑secure contexts (i.e., HTTP pages or pages served from private IPs) from accessing private‑network resources, effectively tightening the classic CORS model.

The article presents a matrix describing how different protocol combinations (HTTP vs. HTTPS) are treated when an external site tries to load internal resources:

External → Internal

HTTP

HTTPS

HTTP

Chrome 94 blocked

Chrome 94 blocked

HTTPS

Secure content loading insecure content – blocked

Standard CORS handling

Two main mitigation strategies are suggested:

Upgrade both external and internal services to use HTTPS.

If upgrading is not possible, configure the browser to disable the “Block insecure private network requests” flag (chrome://flags/#block-insecure-private-network-requests) and restart Chrome.

Finally, the article lists a reference to the Chrome Private Network Access update and provides a brief author bio.