[amarshall]

> There's no uniform criteria for "local network". I can create a local device at any address I want.

Certain subnets are always private [1], and thus may safely treated as “local”. But, of course, non-private addresses could also be local, but that’s less common in a non-enterprise setting.

[1] https://en.wikipedia.org/wiki/Private_network

[nojvek]

This isn't a local network issue though, this is a cross origin issue that Browsers definitely need to patch.

A script from the internet should not be allowed to interface with a script from local network (localhost, local intranet e.t.c)

The browser should have strict sandboxes. This is like when you load a site over https, browsers scream at you if you load a http resource saying it's insecure.

[tlb]

Cross-origin is based on the domain name. It offers no protection against an attacker poking your local IP addresses.

You can have multiple IPs for a domain name, so if I set "hack.tlb.org" to include both a server I control and 192.168.1.1, I can repeatedly do fetches from "hack.tlb.org" until one of them gets your router instead of my server. And they're in the "same origin" for CORS purposes.