On Fri, Mar 13, 2026 at 1:10 PM Shivani Sharma <[email protected]> wrote:
> To update, we are now targeting M148 as the OT start milestone. I’ve > updated it and the end milestone as M152 in the chrome status entry. > Sorry, end milestone as M151 > > On Wed, Mar 4, 2026 at 5:26 PM Shivani Sharma <[email protected]> > wrote: > >> Thanks Mike! >> >> Some developers have expressed interest in starting to test when OT >> begins, so we hope 4 milestones will be sufficient to address feedback and >> the remaining network endpoints. >> >> On Tue, Mar 3, 2026 at 7:41 PM Mike Taylor <[email protected]> >> wrote: >> >>> LGTM, but see my question below about OT length. >>> >>> On 3/3/26 7:19 p.m., Shivani Sharma wrote: >>> >>> >>> >>> On Tue, Mar 3, 2026 at 7:16 PM Chromestatus < >>> [email protected]> wrote: >>> >>>> *Contact emails* >>>> [email protected], [email protected], [email protected] >>>> >>>> *Explainer* >>>> https://github.com/WICG/connection-allowlists >>>> >>>> *Specification* >>>> https://wicg.github.io/connection-allowlists >>>> >>>> *Summary* >>>> Connection Allowlists is a feature designed to provide explicit control >>>> over external endpoints by restricting connections initiated via the Fetch >>>> API or other web platform APIs from a document or worker. The proposed >>>> implementation involves the distribution of an authorized endpoint list >>>> from the server through an HTTP response header. Prior to the establishment >>>> of any connection by the user agent on behalf of a page, the agent will >>>> evaluate the destination against this allowlist; connections to verified >>>> endpoints will be permitted, while those failing to match the entries in >>>> the list will be blocked. More details on the proposal can be found here: >>>> https://github.com/WICG/connection-allowlists Design doc: >>>> https://docs.google.com/document/d/1B3LERUObjVDAKBNLpdIxbk8LC96rWUn1q8vtP9pPIuA/edit?usp=sharing >>>> >>>> *Blink component* >>>> Blink>SecurityFeature>ConnectionAllowlist >>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EConnectionAllowlist%22> >>>> >>>> *Web Feature ID* >>>> Missing feature >>>> >>>> *Search tags* >>>> Connection Allowlists <http:///features#tags:Connection%20Allowlists> >>>> >>>> *TAG review* >>>> https://github.com/w3ctag/design-reviews/issues/1173 >>>> >>>> *TAG review status* >>>> Pending >>>> >>>> *Origin Trial documentation link* >>>> https://github.com/WICG/connection-allowlists >>>> >>>> *Risks* >>>> >>>> >>>> *Interoperability and Compatibility* >>>> This is a new feature. We are actively evolving the design via >>>> discussions on GitHub and in the Community Group. However, there is no >>>> signal yet from any other browser vendors about their implementation plans. >>>> >>>> *Gecko*: No signal ( >>>> https://github.com/mozilla/standards-positions/issues/1322) >>>> >>>> *WebKit*: No signal ( >>>> https://github.com/WebKit/standards-positions/issues/583) >>>> >>>> *Web developers*: Positive ( >>>> https://github.com/WICG/proposals/issues/235#issuecomment-3463775783) >>>> >>>> *Other signals*: >>>> >>>> *Ergonomics* >>>> This feature will be frequently used in tandem with existing Web >>>> Platform Security mechanisms like Content Security Policy, Sandbox etc. We >>>> expect no impact on Chrome's performance. >>>> >>>> *Activation* >>>> No challenges for developers to take advantage of this feature >>>> immediately. >>>> >>>> *Security* >>>> This feature should be beneficial for security because it allows frames >>>> to restrict network communication that could exfiltrate sensitive data. >>>> Please note that we are continuing to add more network endpoints that >>>> prevent exfiltration via connection allowlists as OT will progress. >>>> >>>> *WebView application risks* >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> No. This is a new feature. >>>> >>>> >>>> *Goals for experimentation* >>>> *No information provided* >>> >>> >>> Due to GoogleChrome/chromium-dashboard#4155 >>> <https://github.com/GoogleChrome/chromium-dashboard/issues/4155> this >>> wasn't filled in. It should read: >>> >>> We are looking to gain insights on websites' usage of the Connection >>> Allowlist header and would like to receive feedback from developers on any >>> useful updates. At the start of OT, the following network endpoints are >>> addressed: Subresources fetch, Navigations, Redirects, fetches from local >>> scheme navigations are subjected to the connection allowlist restrictions >>> from the initiator, history.back/forward navigations, rel=prefetch, >>> rel=preconnect, rel=preload, rel=modulepreload, , rel=dns-prefetch, and >>> their link header equivalents. Remaining network endpoints like webRTC, >>> WebTransport, WebSocket, speculative preconnect and other known network >>> endpoints will continue to be added as OT progresses. >>> Additionally at the start of OT, the contexts that support connection >>> allowlist are documents, dedicated workers and shared workers. Shortly, we >>> will also add support for service workers. >>> >>> You've requested 4 milestones for this OT (which is fine - you can have >>> up to 6 up front). Is that enough time to land support for the remaining >>> network endpoints and get feedback? >>> >>> >>> >>>> >>>> >>>> *Ongoing technical constraints* >>>> None >>>> >>>> *Debuggability* >>>> To assist developers in debugging blocked requests or malformed >>>> headers, parsing errors and enforcement issues are reported directly to the >>>> DevTools Issues tab. Additionally, the reporting infrastructure for >>>> Connection-Allowlist was introduced to support both enforced violation >>>> reporting and a "report-only" mode, allowing developers to monitor >>>> potential breakages without interrupting service. >>>> >>>> *Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>>> Yes >>>> >>>> *Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>>> Yes >>>> >>>> https://github.com/web-platform-tests/wpt/tree/master/connection-allowlist/tentative >>>> >>>> *Flag name on about://flags* >>>> connection-allowlists >>>> >>>> *Finch feature name* >>>> ConnectionAllowlists >>>> >>>> *Requires code in //chrome?* >>>> True >>>> >>>> *Tracking bug* >>>> https://issues.chromium.org/issues/447954811 >>>> >>>> *Measurement* >>>> We will be adding metrics for the usage of the feature >>>> >>>> *Estimated milestones* >>>> Origin trial desktop first 147 >>>> Origin trial desktop last 150 >>>> Origin trial Android first 147 >>>> Origin trial Android last 150 >>>> Origin trial WebView first 147 >>>> Origin trial WebView last 150 >>>> >>>> *Anticipated spec changes* >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> https://github.com/WICG/connection-allowlists/issues >>>> >>>> *Link to entry on the Chrome Platform Status* >>>> https://chromestatus.com/feature/5175745573945344?gate=5415518666358784 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com>. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADAcp09i5WF7sji8mTpixKR7BAho4hs8roCcqafEOGwbcrtuZA%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADAcp09i5WF7sji8mTpixKR7BAho4hs8roCcqafEOGwbcrtuZA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADAcp0_a4A9Y5Hdfttgd2M1QLL8LohmH_Z6rFY-r9ZpeU6KhaQ%40mail.gmail.com.
