#1173: Incubation: Connection Allowlists

Visit on Github

Opened Nov 25, 2025

Explainer

https://github.com/WICG/connection-allowlists/

The explainer

Where and by whom is the work is being done?

Feedback so far

You should also know that...

There's somewhat-related background about my general desire to break CSP in half in https://github.com/WICG/csp-next/.

<!-- Content below this is maintained by @w3c-tag-bot -->

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1173

Discussions

Log in to see TAG-private discussions.

Discussed Dec 1, 2025 (See Github)

Ehsan: Haven’t finished reviewing it yet, try to do it next week.

Hadley: Are we ok on time for this one?

Ehsan: They didn’t mention any deadline on the issue.

Yves: I’ll try to take a look at that next week.

Discussed Dec 8, 2025 (See Github)

Skipped

Discussed Dec 15, 2025 (See Github)

Ehsan: Almost finished with it, but haven't finalized my review yet.

Yves: Making progress on it; no conclusion yet.

Discussed Jan 5, 2026 (See Github)

Yves: Not much progress over the holidays. Remember having a potential thing about link things throught he reporting URL. e.g. add a specific site to the block list with a unique url as the reporting URL, to link sites. Didn't have time to check if that's possible. Generally looks interesting to prevent things that happened in the past like poking open ports.

Ehsan: I read through it, and still working on my review. When you read the threat model, they don't consider the server to be the bad entity.

Yves: I thought they wanted to prevent people from scanning using the API, and it's good for that. Wondering about people misusing it for other purposes.

Ehsan: They mention side-channels, and I focused on that, but your threat is more sensible.

Yves: Mine is a kind of side-channel anyway.

Ehsan: I'm positive in general. Wanted to suggest that the proponents explain it through an example. They say CSP is not relevant, but they don't go through something concrete. Could improve the explainer, but that's minor.

Yves: Wonder if there's a way to differentiate between plain HTTPS, Web Transport, and Web Sockets. Having the intended protocol in there might be useful.

Matthew: Overall we sound positive, with suggestions for improving the explainer. (2 of those: protocol + example). Yves, you're still checking on the possible threats, and we should raise that concern. Either of you want to draft the comment?

Yves: I'll draft it this week, and Ehsan can review.

Discussed Jan 12, 2026 (See Github)

Yves: Drafted a comment, and waiting for Ehsan to add to it.

Ehsan: I'm discussing inside Samsung. I agree with your points, and will add 1-2 things, which need discussion. I'm wondering what happens if the CSP and allowlist overlap, or one is missing. Couldn't find a place that discribes the conflict. They should clarify the hierarchy, which takes priority. Second, maybe it can be used to fingerprint? Looking for a concrete example, but I think it can be used.

Yves: Think fingerprinting is probably less important and probably reuses the same thing as exfiltrating data. Except maybe a timing attack, since you refuse the connection before starting it.

Ehsan: They mention something about side-channels, but they don't clarify.

Yves: Worth mentioning the possibility of problems so they can add it to the security considerations.

Discussed Jan 19, 2026 (See Github)

Ehsan: Yves and I have commented, I think the comments are complementary. If we can have a discussion, or agree to merge the comments, we can post them.

Yves: Makes sense - merging the two should be good.

Ehsan: I'll merge them and await your thumbs-up, and will then post.

Yves: Great.

Discussed Jan 26, 2026 (See Github)

Yves: IIRC Ehsan had feedback too. Mike West announced they're going on origin trial soon, so we need to send it soon.

Ehsan: I liked Jeffrey's and Martin's commemts. Wanted to ask Martin... I am leaning towards satisfied with concerns, but wondering about the justification as to why this is necessary. I find it a good spec. But before that, wanted to see what Martin thinks.

Martin: We talked about it at Mozilla, people were asking where this comes from, why is it relevant? The conclusion is that it is unclear why it's necessary to have another policy for managing connections. Mike has an explanation, but others didn't find it compelling. Mike is deeper into CSP than most. But the conclusion was maybe we didn't try hard enough to shape CSP, rather than adding something new that does the same thing with slight modifications.

Yves: Perhaps we should say that one of the concerns is a lack of apparent consensus from other vendors. There's no comment in WebKit or Mozilla standardisation. Martin, it'd be good if someone from Mozilla could add such a comment. I agree with Ehsan that we should have satisfied with concerns, based on that and the potential abuse cases. It's an early review anyway.

Ehsan: I agree with Yves, but I agree with Martin as well. I think it's a very good idea to ask more about the justifications. I can see the logic behind it, can see why from my view, but from the spec authors' and devs' point of view... I think it will address Martin's team's concerns if we address this concern explicitly.

Martin: Mike has 3 reasons for doing an entirely new thing.

  1. CSP is too granular, which I am not sure I agree with. It's not if you're dealing with high-level cross API stuff syntax (fixable within CSP).

  2. Not granular enough.

  3. Gaps in what CSP applies to (prefetch, RTC). The answer there is the work has been done.

It doesn't seem like a good idea to invent something entirely new here.

Hadley: So what do we need to do with this?

Ehsan: A position from Mozilla would be very helpful. After hearing Martin's point, I need to give it a little more thought. Right now it seems like satisfied with concerns.

Hadley: Even before a comment from Mozilla, we know there's not multi stakeholder support.

Yves: That's why I propsed, as there's no answer from WebKit nor Mozilla, that one of our concerns is lack of browser support on top of the other things we've discussed. Giving the feedback we have now would be timely.

Ehsan: I can draft something for Yves, Martin, and Jeffrey to review.

Comment by @mikewest Jan 28, 2026 (See Github)

Hey folks, we're likely going to be starting up an Origin Trial in Chrome in the somewhat near future based on a partial implementation we're working through. It would be helpful to get your feedback on some of the fundamentals sooner rather than later so we can incorporate it along with whatever we hear from developers that poke at it. :)

Comment by @yoavweiss Jan 28, 2026 (See Github)

Hey Mike!

A few comments:

  1. This is great!! Thanks for working on this!
  2. I'm assuming the feature is supposed to work in workers, and its HTML integration suffers from https://github.com/whatwg/html/issues/11316, so it's not necessarily well-defined.
  3. For dns-prefetch leaks, it seems like this should also integrate with https://html.spec.whatwg.org/#link-type-dns-prefetch. Similarly, there's https://html.spec.whatwg.org/#link-type-preconnect
Comment by @mikewest Jan 28, 2026 (See Github)
  1. This is great!! Thanks for working on this!

🥳

  1. I'm assuming the feature is supposed to work in workers, and its HTML integration suffers from WorkerGlobalScope policies not fully converted to policy containers whatwg/html#11316, so it's not necessarily well-defined.

The assumption is that we'll do the same thing for workers that CSP does; each worker will have its own policy, and local-scheme workers will inherit from their creation context. So, yes. It depends on Policy Container working, and if it isn't wired up, we should add some wires.

  1. For dns-prefetch leaks, it seems like this should also integrate with https://html.spec.whatwg.org/#link-type-dns-prefetch. Similarly, there's https://html.spec.whatwg.org/#link-type-preconnect

Both of those end up routing through Fetch (Step 4 of https://html.spec.whatwg.org/multipage/links.html#link-type-dns-prefetch and step 8 of https://html.spec.whatwg.org/multipage/links.html#preconnect), so I think the integration is already well-defined. There are absolutely bits of the platform that aren't defined through Fetch (WebRTC as a standout example), and we'll certainly need to update the spec and implementation as we run into them. I haven't done that work yet, mostly hoping that folks can provide feedback on the mechanism in itself, assuming that we do reasonable integrations along the way.

Comment by @yoavweiss Jan 28, 2026 (See Github)

Both of those end up routing through Fetch (Step 4 of https://html.spec.whatwg.org/multipage/links.html#link-type-dns-prefetch and step 8 of https://html.spec.whatwg.org/multipage/links.html#preconnect), so I think the integration is already well-defined.

Missed this!! Great to see it defined

Discussed Feb 2, 2026 (See Github)

Ehsan: Right after this meeting, I will post my final comment to the proponents. Then Yves and Jeffrey can have a look. Basically the concatenation of all previous comments, just looks fancier.

Discussed Feb 2, 2026 (See Github)

bump

Comment by @toreini Feb 9, 2026 (See Github)

Hi @mikewest,

The goal looks good, and the proposal is generally sensible, but we have several concerns:

  • There is no position from other stakeholder. We encourage you discuss it with them to clarify their position.
  • The explainer or the spec could contain more examples to show more explicitly the interactions.
  • Regarding reporting, could it be possible to explain the context of the connection? The explainer, point 3 in justification for this spec, mentions CSP does not cover DNS prefetch, WebRTC (most probably WebTransport and WebSocket as well) in the threat model. Would it be possible to log the intended usage of this protocols in the report?
  • You have pointed out there are plenty of possible side channels. TAG agrees with that; however, we suggest the proponents address a couple of the more important ones. We pointed the following: Is there any noticeable distinctive behaviour in parsing allow-list compared to (1) the CSP permission model (2) the various communication protocols in origins (regarding a range of side channels, including timing, CPU allocation, memory tracing and caching)?
  • TAG could not find any point you discuss the private mode behaviour. We want to double-check that you're not planning for this feature to behave differently in private mode. (As per web platforms design principles (section 2.9))
  • Potential leak: TAG acknowledges the single-origin feature of this spec as "A document's (or worker's) asserted policy governs only requests initiated by that context. If a framed document asserts a distinct policy, so be it". However, there is a question about possible leaks via the reporting system. If the reporting endpoint is malicious, cross-origin data could be exfiltrated by generating blocked URLs containing said data and sending reports via the reportingAPIEndpoint. Can you please elaborate on that?
  • Is there any evidence that average developers (not just sophisticated developers) actually want to use this spec?
Comment by @mikewest Feb 9, 2026 (See Github)

Thanks for taking a look, @toreini!

There is no position from other stakeholder. We encourage you discuss it with them to clarify their position.

Certainly, I'm interested as well.

Neither Apple nor Mozilla have formally replied to the standards position requests I opened up after TPAC last year [1, 2], but there were some productive side conversations there with folks associated with those vendors. I was somewhat hopeful that your discussions in the TAG might be a spark for folks associated with those vendors to weigh in one way or the other. :)

I'm similarly hopeful that an Origin Trial we run in Chrome can help us obtain a broader set of feedback from a larger number of developers as they start kicking the tires a bit.

The explainer or the spec could contain more examples to show more explicitly the interactions.

Could you be more specific about the interactions which should be more explicitly shown?

Regarding reporting, could it be possible to explain the context of the connection? The explainer, point 3 in justification for this spec, mentions CSP does not cover DNS prefetch, WebRTC (most probably WebTransport and WebSocket as well) in the threat model. Would it be possible to log the intended usage of this protocols in the report?

I'm not sure I understand the request. Could you clarify what you'd like to see in the report? It shouldn't be too hard to label a violation as being associated with Web Transport or WebRTC or DNS or etc... is that what you mean?

You have pointed out there are plenty of possible side channels. TAG agrees with that; however, we suggest the proponents address a couple of the more important ones. We pointed the following: Is there any noticeable distinctive behaviour in parsing allow-list compared to (1) the CSP permission model (2) the various communication protocols in origins (regarding a range of side channels, including timing, CPU allocation, memory tracing and caching)?

I'm not sure I understand the question here. Can you help me out regarding the potential mismatch you see between parsing allowlists and CSP's permission model?

Regarding side channels, though: I think one of the main reasons to introduce something like this proposal is the ability to spell out a clear and explicit threat model, which we can then evaluate both on its own merits and use in the future to make decisions about the set of features the header should support. To that end, I've sketched this proposal as handling network connections and ~nothing else, as that's a very clear and defensible boundary. That model puts your (2) explicitly out of scope, which seems reasonable to me: URL-based allowlists seem particularly poorly-suited to handling the ~system level global oracles they represent.

TAG could not find any point you discuss the private mode behaviour. We want to double-check that you're not planning for this feature to behave differently in private mode. (As per web platforms design principles (section 2.9))

Yup, there's no reason this would behave differently in private mode. I didn't mention that in the spec as it seems like the default assumption in the absence of a claim otherwise, but I can do so if you'd find it helpful.

Potential leak: TAG acknowledges the single-origin feature of this spec as "A document's (or worker's) asserted policy governs only requests initiated by that context. If a framed document asserts a distinct policy, so be it". However, there is a question about possible leaks via the reporting system. If the reporting endpoint is malicious, cross-origin data could be exfiltrated by generating blocked URLs containing said data and sending reports via the reportingAPIEndpoint. Can you please elaborate on that?

Reporting depends on the same delivery mechanism as the policy itself. The server needs to send a reporting-endpoints header specifying a set of endpoints that Connection Allowlists will then depend upon (see https://w3c.github.io/reporting/#examples for similar examples). You're correct that it's possible for such a header to specify an endpoint which might handle data in an unprotected way. Doing that maliciously would require control over the HTTP response which I'd consider outside the threat model of a mitigation which itself is delivered via an HTTP response header. :)

Is there any evidence that average developers (not just sophisticated developers) actually want to use this spec?

Folks have been asking for CSP to provide some sort of exfiltration hardening for quite some time now. We made some effort in that direction in response to magecart-like attacks in the past that developers across a reasonably-broad spectrum seemed to want.

Today, the folks I hear asking for something like this are generally interested in using something like this as part of a sandboxing approach, particularly for agent-generated, untrusted content (see e.g. https://aifoc.us/the-browser-is-the-sandbox/ and OpenAI's Apps SDK for example). Microsoft and Google are explicitly interested in that angle.