Security - Preventing access to local network

Hi,
something to test is, is access to client local network prevented? For example, prevented to configure routers that still have default passwords? What browsers prevent this? Or is there browser-policy-framing settings for this? Or some other settings?

<iframe href="https://admin:admin@router.local/set_dns?server1=123.123.123.123">
</iframe>

Sandstorm has some local network access prevention at Admin Panel. But I presume, it is preventing access at server to server’s local network. Maybe not about preventing client access to client local network.

Content Security Policy should be able to prevent this, but I’d focus on preventing the malicious user input (such as an attacker’s iframe) from being executed in the first place (sanitize and escape user input).