Explainer

https://github.com/WICG/connection-allowlists/

The explainer

• Includes the information requested by the Explainer Explainer.
• Follows the Web Platform Design Principles.
• Includes or links to answers to the Security/Privacy Questionnaire.
• Describes user research you did to validate the problem and/or design.

Where and by whom is the work is being done?

• GitHub repo: https://github.com/WICG/connection-allowlists
• Draft spec: https://wicg.github.io/connection-allowlists/
• Primary contacts:
  • @mikewest
  • @shivanigithub
• Organization/project driving the design: Chrome.
• This work is being funded by: Google.
• Incubation and standards groups that have discussed the design:
  • WebAppSec (TPAC 2025 minutes
  • https://github.com/WICG/proposals/issues/235
• Standards group(s) that you expect to discuss and/or adopt this work when it's ready: WebAppSec WG seems a likely target.

Feedback so far

• Multi-stakeholder feedback:
  • Chromium comments: 👍
  • Mozilla comments: https://github.com/mozilla/standards-positions/issues/1322
  • WebKit comments: https://github.com/WebKit/standards-positions/issues/583
• Major unresolved issues with or opposition to this design:
  • https://wicg.github.io/connection-allowlists/#security points to some open questions, as does https://wicg.github.io/connection-allowlists/#overlap-with-csp.

You should also know that...

There's somewhat-related background about my general desire to break CSP in half in https://github.com/WICG/csp-next/.

<!-- Content below this is maintained by @w3c-tag-bot -->

---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1173