# Access control and security

From v40 of the M2 platform, the WebUI browser will respect the access policy configured in the `External URLs` section of each project's admin dashboard, so it behaves the same as any other web request. If you have any access controls set up then you will need to add any domains to the allow list.

<figure><img src="https://1456550285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoWTlPaoHd1McSakqMigu%2Fuploads%2Fgit-blob-aebbdfc1e8ab534972ceadffd656de97e2991a0a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Displaying local content

If you're using the web browser to display any local content, e.g. with `Load File`, you **must** have the access policy set to `Allow content to access all external URLs`. If you don't then the request will be blocked and the content will not display.

This is to help protect against fishing exploits due to spoofing websites, or by using the web browser to bypass any access controls that would block other web requests.