On Wed, Jul 8, 2026 at 7:10 PM Morgaine (de la faye) <[email protected]> wrote:
> I take it there are no affordances for Bookmarklets? > Can you expand? This is about site-initiated network requests. AFAICT, bookmarklets are user-initiated JS snippets, so they are totally orthogonal and unaffected by this. Maybe you have a specific scenario in mind that you think this affects? > Bookmarklets are _THE ONLY_ agency users have on mobile, still, in the > Year of Our Lord 2026 (which is outrageous in itself). This Connection > Allowlist will summarily block good decent folks trying to do things like > use their preferred bookmark site's bookmarklet. I'm highly disappointed > the user's especially on mobile keep having less and less power and that > the site defines and enforces more and more the Terms of Service against > any user desire. This feature massively tilts the game in terms of the > site's preference & away from the user. This is a titan sized violations of > RFC 8890 The Internet is For End Users. To me this feels like a terrible > change that once again leaves users high and dry and unable to use the web > as they please. > > One example of a bookmarklet that is under threat from this "feature" > (this great constrainer, limiter, closer-up, de-featuring, > de-possibilitying): > https://bsky.app/profile/semble.so/post/3mkqftm2jua2f > On Thursday, June 25, 2026 at 3:00:39 PM UTC-4 Chromestatus wrote: > >> *Contact emails* >> [email protected], [email protected], [email protected] >> >> *Explainer* >> https://github.com/WICG/connection-allowlists >> >> *Specification* >> https://wicg.github.io/connection-allowlists >> >> *Summary* >> Connection Allowlists is a feature designed to provide explicit control >> over external endpoints by restricting connections initiated via the Fetch >> API or other web platform APIs from a document or worker. The proposed >> implementation involves the distribution of an authorized endpoint list >> from the server through an HTTP response header. Prior to the establishment >> of any connection by the user agent on behalf of a page, the agent will >> evaluate the destination against this allowlist; connections to verified >> endpoints will be permitted, while those failing to match the entries in >> the list will be blocked. More details on the proposal can be found here: >> https://github.com/WICG/connection-allowlists Design doc: >> https://docs.google.com/document/d/1B3LERUObjVDAKBNLpdIxbk8LC96rWUn1q8vtP9pPIuA/edit?usp=sharing >> Implementation Design: >> https://source.chromium.org/chromium/chromium/src/+/main:docs/connection_allowlist_design.md >> >> *Blink component* >> Blink>SecurityFeature>ConnectionAllowlist >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3EConnectionAllowlist%22> >> >> *Web Feature ID* >> Missing feature >> >> *Motivation* >> Developers wish to have control over the resources loaded into their >> pages' contexts and the endpoints to which their pages can make requests. >> This control is necessary for several purposes, including limiting the ways >> in which users' data can flow through the user agent (mitigating >> exfiltration attacks) and ensuring control over a site’s architecture and >> dependencies. Content Security Policy addresses some of this need, but does >> so in a way that is more granular than necessary for the most critical use >> cases, and with a syntax and grammar that’s complicated by the other >> protections CSP is used to deploy. `Connection-Allowlist` steps back from >> CSP, and focuses on the single use case of controlling the explicit >> requests a page may initiate through Fetch and other web platform APIs >> (Navigations, preload, DNS Prefetch, WebRTC, Web Transport, etc) in a way >> that aims to be straightforward and comprehensive. Example: >> Connection-Allowlist: (response-origin "https://cdn.example" >> "https://*.example.:tld" >> \ "https://api.example:*"); report-to=ReportingAPIEndpoint >> >> *Initial public proposal* >> https://github.com/WICG/proposals/issues/235 >> >> *Search tags* >> Connection Allowlists <http:///features#tags:Connection%20Allowlists> >> >> *TAG review* >> https://github.com/w3ctag/design-reviews/issues/1173 >> >> *TAG review status* >> Pending >> >> *Origin Trial Name* >> Connection Allowlists >> >> *Goals for experimentation* >> Origin Trial's goal was to gain insights on websites' usage of Connection >> Allowlist header and receive feedback from developers on whether there are >> any updates that would be useful. As was mentioned in the I2E, at the start >> of OT, the following network endpoints were implemented: Subresources >> fetch, Navigations, Redirects, fetches from local scheme navigations (via >> connection allowlists inherited from the navigation's initiator), >> history.back/forward navigations, rel=prefetch, rel=preconnect, >> rel=preload, rel=modulepreload, , rel=dns-prefetch, and their link header >> equivalents. As OT progressed, support was added for remaining known >> network endpoints including webRTC, WebTransport, WebSocket and others. >> Connection allowlists support documents, dedicated workers, shared workers >> and service workers. >> >> *Chromium Trial Name* >> ConnectionAllowlist >> >> *Origin Trial documentation link* >> https://developer.chrome.com/blog/connection-allowlists-origin-trial >> >> *WebFeature UseCounter name* >> kConnectionAllowlist >> >> *Risks* >> >> >> *Interoperability and Compatibility* >> This is a new feature. We are interacting with other browsers via >> discussions on GitHub and in the Community Group. However, there is no >> official signal yet from any other browser vendors about their >> implementation plans. >> >> *Gecko*: No signal ( >> https://github.com/mozilla/standards-positions/issues/1322) We think >> there's agreement on the value of this functionality, but differences of >> opinion on what the header looks like. There has been good interaction on >> some of the issues in the repo and in the WebAppSec meetings. >> >> *WebKit*: No signal ( >> https://github.com/WebKit/standards-positions/issues/583) No official >> position, but there has been good interaction on some of the issues in the >> repo and in the WebAppSec meetings. >> >> *Web developers*: Positive ( >> https://github.com/WICG/proposals/issues/235#issuecomment-3463775783) We >> have had multiple developers using Connection Allowlists through the Origin >> Trial and are planning to continue to use it. Microsoft is also >> collaborating on enhancements like >> https://github.com/WICG/connection-allowlists/issues/1 >> >> *Other signals*: Edge: Positive ( >> https://github.com/WICG/proposals/issues/235#issuecomment-3463775783) >> >> *Ergonomics* >> This feature will be frequently used in tandem with existing Web Platform >> Security mechanisms like Content Security Policy, Sandbox etc. We expect no >> impact on Chrome's performance. >> >> *Activation* >> No challenges for developers to take advantage of this feature >> immediately. >> >> *Security* >> This feature should be beneficial for security because it allows >> documents and workers to restrict network communication that could >> exfiltrate sensitive data. >> >> *WebView application risks* >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> No. This is a new feature. >> >> >> *Debuggability* >> To assist developers in debugging malformed headers, parsing errors are >> reported directly to the DevTools Issues tab. Additionally, the reporting >> infrastructure for Connection-Allowlist was introduced to support both >> enforced violation reporting and a "report-only" mode, allowing developers >> to monitor potential breakages without interrupting service. >> >> *Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)?* >> Yes >> >> *Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >> Yes >> >> https://github.com/web-platform-tests/wpt/tree/master/connection-allowlist/tentative >> >> *Flag name on about://flags* >> connection-allowlists >> >> *Finch feature name* >> ConnectionAllowlists >> >> *Rollout plan* >> Will ship enabled for all users >> >> *Requires code in //chrome?* >> True >> >> *Tracking bug* >> https://issues.chromium.org/issues/447954811 >> >> *Measurement* >> UseCounter has been added for measuring the usage of the feature >> >> *Availability expectation* >> Feature is available only in Chromium browsers for the foreseeable future. >> >> *Adoption expectation* >> Feature is used by specific partner(s) to provide functionality within 12 >> months of launch in Chrome. >> >> *Adoption plan* >> Some of the partners are already participating in the Origin Trial and >> they are expected to adopt the feature as it ships in Chrome. The use >> counter can be seen here: >> https://chromestatus.com/metrics/feature/timeline/popularity/5867 >> >> *Non-OSS dependencies* >> >> Does the feature depend on any code or APIs outside the Chromium open >> source repository and its open-source dependencies to function? >> None >> >> *Estimated milestones* >> Shipping on desktop 152 >> Origin trial desktop first 148 >> Origin trial desktop last 151 >> Shipping on Android 152 >> Origin trial Android first 148 >> Origin trial Android last 151 >> Shipping on WebView 152 >> Origin trial WebView first 148 >> Origin trial WebView last 151 >> >> *Anticipated spec changes* >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> https://github.com/WICG/connection-allowlists/issues Note that issues >> marked as enhancement, like >> https://github.com/WICG/connection-allowlists/issues/1, >> https://github.com/WICG/connection-allowlists/issues/28 are not included >> in this entry and will be launched via a separate I2S, but are additive and >> backward-compatible. >> >> *Link to entry on the Chrome Platform Status* >> https://chromestatus.com/feature/5175745573945344?gate=6083622706741248 >> >> *Links to previous Intent discussions* >> Intent to Experiment: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69a779c1.050a0220.1426e8.0068.GAE%40google.com >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/49e293ad-dd5e-4d2b-81cc-44f4a569856fn%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/49e293ad-dd5e-4d2b-81cc-44f4a569856fn%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYardM1oyCJ1gB2%2BA8SucsVagScR_LAuw96MPceyu4uzGA%40mail.gmail.com.
