[blacksmith_tb]

And it doesn't even block, it preflights the requests, and if the device exists and responds, it will only block if the device sets a special header? Which of course no existing devices will, so it's going to do very little good - nothing for existing IoT gear, and likely not much more for new devices, unless all those manufacturers rapidly embrace setting the new header. To me it seems like it'd be a far more obvious approach to just throw up a dialog that says "the current page wants to connect to things on your home network, does that seem reasonable to you, or should I continue to block that?"

[diogocp]

> it will only block if the device sets a special header?

No. It will block by default. If the header is present, it will allow the request.

> just throw up a dialog that says "the current page wants to connect to things on your home network

In many (probably most) cases it is just a work site trying to connect to an internal service on your work VPN, and the warnings would get annoying very quickly.

[blacksmith_tb]

Ah, that makes a little more sense, though it will break any legitimate uses we might have now - not sure if the Home Assistant web UI talks to local devices by IP (or maybe only via their .local?) That's probably still a good tradeoff, and I am sure if they left it all up to the user plenty of people would click 'ok' without understanding, but it'd be nice to have that as an option.