Thanks Mike! Some developers have expressed interest in starting to test when OT begins, so we hope 4 milestones will be sufficient to address feedback and the remaining network endpoints.
On Tue, Mar 3, 2026 at 7:41 PM Mike Taylor <[email protected]> wrote: > LGTM, but see my question below about OT length. > > On 3/3/26 7:19 p.m., Shivani Sharma wrote: > > > > On Tue, Mar 3, 2026 at 7:16 PM Chromestatus < > [email protected]> wrote: > >> *Contact emails* >> [email protected], [email protected], [email protected] >> >> *Explainer* >> https://github.com/WICG/connection-allowlists >> >> *Specification* >> https://wicg.github.io/connection-allowlists >> >> *Summary* >> Connection Allowlists is a feature designed to provide explicit control >> over external endpoints by restricting connections initiated via the Fetch >> API or other web platform APIs from a document or worker. The proposed >> implementation involves the distribution of an authorized endpoint list >> from the server through an HTTP response header. Prior to the establishment >> of any connection by the user agent on behalf of a page, the agent will >> evaluate the destination against this allowlist; connections to verified >> endpoints will be permitted, while those failing to match the entries in >> the list will be blocked. More details on the proposal can be found here: >> https://github.com/WICG/connection-allowlists Design doc: >> https://docs.google.com/document/d/1B3LERUObjVDAKBNLpdIxbk8LC96rWUn1q8vtP9pPIuA/edit?usp=sharing >> >> *Blink component* >> Blink>SecurityFeature>ConnectionAllowlist >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EConnectionAllowlist%22> >> >> *Web Feature ID* >> Missing feature >> >> *Search tags* >> Connection Allowlists <http:///features#tags:Connection%20Allowlists> >> >> *TAG review* >> https://github.com/w3ctag/design-reviews/issues/1173 >> >> *TAG review status* >> Pending >> >> *Origin Trial documentation link* >> https://github.com/WICG/connection-allowlists >> >> *Risks* >> >> >> *Interoperability and Compatibility* >> This is a new feature. We are actively evolving the design via >> discussions on GitHub and in the Community Group. However, there is no >> signal yet from any other browser vendors about their implementation plans. >> >> *Gecko*: No signal ( >> https://github.com/mozilla/standards-positions/issues/1322) >> >> *WebKit*: No signal ( >> https://github.com/WebKit/standards-positions/issues/583) >> >> *Web developers*: Positive ( >> https://github.com/WICG/proposals/issues/235#issuecomment-3463775783) >> >> *Other signals*: >> >> *Ergonomics* >> This feature will be frequently used in tandem with existing Web Platform >> Security mechanisms like Content Security Policy, Sandbox etc. We expect no >> impact on Chrome's performance. >> >> *Activation* >> No challenges for developers to take advantage of this feature >> immediately. >> >> *Security* >> This feature should be beneficial for security because it allows frames >> to restrict network communication that could exfiltrate sensitive data. >> Please note that we are continuing to add more network endpoints that >> prevent exfiltration via connection allowlists as OT will progress. >> >> *WebView application risks* >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> No. This is a new feature. >> >> >> *Goals for experimentation* >> *No information provided* > > > Due to GoogleChrome/chromium-dashboard#4155 > <https://github.com/GoogleChrome/chromium-dashboard/issues/4155> this > wasn't filled in. It should read: > > We are looking to gain insights on websites' usage of the Connection > Allowlist header and would like to receive feedback from developers on any > useful updates. At the start of OT, the following network endpoints are > addressed: Subresources fetch, Navigations, Redirects, fetches from local > scheme navigations are subjected to the connection allowlist restrictions > from the initiator, history.back/forward navigations, rel=prefetch, > rel=preconnect, rel=preload, rel=modulepreload, , rel=dns-prefetch, and > their link header equivalents. Remaining network endpoints like webRTC, > WebTransport, WebSocket, speculative preconnect and other known network > endpoints will continue to be added as OT progresses. > Additionally at the start of OT, the contexts that support connection > allowlist are documents, dedicated workers and shared workers. Shortly, we > will also add support for service workers. > > You've requested 4 milestones for this OT (which is fine - you can have > up to 6 up front). Is that enough time to land support for the remaining > network endpoints and get feedback? > > > >> >> >> *Ongoing technical constraints* >> None >> >> *Debuggability* >> To assist developers in debugging blocked requests or malformed headers, >> parsing errors and enforcement issues are reported directly to the DevTools >> Issues tab. Additionally, the reporting infrastructure for >> Connection-Allowlist was introduced to support both enforced violation >> reporting and a "report-only" mode, allowing developers to monitor >> potential breakages without interrupting service. >> >> *Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)?* >> Yes >> >> *Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >> Yes >> >> https://github.com/web-platform-tests/wpt/tree/master/connection-allowlist/tentative >> >> *Flag name on about://flags* >> connection-allowlists >> >> *Finch feature name* >> ConnectionAllowlists >> >> *Requires code in //chrome?* >> True >> >> *Tracking bug* >> https://issues.chromium.org/issues/447954811 >> >> *Measurement* >> We will be adding metrics for the usage of the feature >> >> *Estimated milestones* >> Origin trial desktop first 147 >> Origin trial desktop last 150 >> Origin trial Android first 147 >> Origin trial Android last 150 >> Origin trial WebView first 147 >> Origin trial WebView last 150 >> >> *Anticipated spec changes* >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> https://github.com/WICG/connection-allowlists/issues >> >> *Link to entry on the Chrome Platform Status* >> https://chromestatus.com/feature/5175745573945344?gate=5415518666358784 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADAcp09i5WF7sji8mTpixKR7BAho4hs8roCcqafEOGwbcrtuZA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADAcp09i5WF7sji8mTpixKR7BAho4hs8roCcqafEOGwbcrtuZA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADAcp09r9OQrhZcEsTTzG_%2B%2BCtZ8ZDivF3xPww0WVAh_PouCrQ%40mail.gmail.com.
