We are finding that users on a VPN (or anyone on a private network) are unable to use the Hosted Authnet iFrame on our site. We are specifically using the iframe delivered from /customer/addPayment. I know Chrome 142 tightened enforcement of the Local Network Access spec, blocking cross-origin requests to private networks, and we haven't been able to figure out how to work around it yet.
We have added the allow="local-network-access" permission attribute to the iframe on our end, as well as updated CORS settings on our side, but we find it's insufficient without the corresponding server-side header. The missing piece appears to be on the AuthNet side: Access-Control-Allow-Private-Network: true.
Is there something we're missing to restore full functionality for these users on VPNs, or do we need an update from AuthNet?
