Contact emails [email protected], [email protected], [email protected]
Explainer https://github.com/WICG/connection-allowlists Specification https://wicg.github.io/connection-allowlists Summary Connection Allowlists is a feature designed to provide explicit control over external endpoints by restricting connections initiated via the Fetch API or other web platform APIs from a document or worker. The proposed implementation involves the distribution of an authorized endpoint list from the server through an HTTP response header. Prior to the establishment of any connection by the user agent on behalf of a page, the agent will evaluate the destination against this allowlist; connections to verified endpoints will be permitted, while those failing to match the entries in the list will be blocked. More details on the proposal can be found here: https://github.com/WICG/connection-allowlists Design doc: https://docs.google.com/document/d/1B3LERUObjVDAKBNLpdIxbk8LC96rWUn1q8vtP9pPIuA/edit?usp=sharing Blink component Blink>SecurityFeature>ConnectionAllowlist Web Feature ID Missing feature Search tags Connection Allowlists TAG review https://github.com/w3ctag/design-reviews/issues/1173 TAG review status Pending Origin Trial documentation link https://github.com/WICG/connection-allowlists Risks Interoperability and Compatibility This is a new feature. We are actively evolving the design via discussions on GitHub and in the Community Group. However, there is no signal yet from any other browser vendors about their implementation plans. Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1322) WebKit: No signal (https://github.com/WebKit/standards-positions/issues/583) Web developers: Positive (https://github.com/WICG/proposals/issues/235#issuecomment-3463775783) Other signals: Ergonomics This feature will be frequently used in tandem with existing Web Platform Security mechanisms like Content Security Policy, Sandbox etc. We expect no impact on Chrome's performance. Activation No challenges for developers to take advantage of this feature immediately. Security This feature should be beneficial for security because it allows frames to restrict network communication that could exfiltrate sensitive data. Please note that we are continuing to add more network endpoints that prevent exfiltration via connection allowlists as OT will progress. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No. This is a new feature. Goals for experimentation No information provided Ongoing technical constraints None Debuggability To assist developers in debugging blocked requests or malformed headers, parsing errors and enforcement issues are reported directly to the DevTools Issues tab. Additionally, the reporting infrastructure for Connection-Allowlist was introduced to support both enforced violation reporting and a "report-only" mode, allowing developers to monitor potential breakages without interrupting service. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? Yes Is this feature fully tested by web-platform-tests? Yes https://github.com/web-platform-tests/wpt/tree/master/connection-allowlist/tentative Flag name on about://flags connection-allowlists Finch feature name ConnectionAllowlists Requires code in //chrome? True Tracking bug https://issues.chromium.org/issues/447954811 Measurement We will be adding metrics for the usage of the feature Estimated milestones Origin trial desktop first 147 Origin trial desktop last 150 Origin trial Android first 147 Origin trial Android last 150 Origin trial WebView first 147 Origin trial WebView last 150 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (eg links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (eg, changing to naming or structure of the API in a non-backward-compatible way). https://github.com/WICG/connection-allowlists/issues Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5175745573945344?gate=5415518666358784 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69a779c1.050a0220.1426e8.0068.GAE%40google.com.
