惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
雷峰网
雷峰网
罗磊的独立博客
Hugging Face - Blog
Hugging Face - Blog
T
Tailwind CSS Blog
V
Visual Studio Blog
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
Last Week in AI
Last Week in AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
有赞技术团队
有赞技术团队
J
Java Code Geeks
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
Engineering at Meta
Engineering at Meta
B
Blog
Recent Announcements
Recent Announcements
C
Check Point Blog
MongoDB | Blog
MongoDB | Blog
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
F
Full Disclosure
Microsoft Security Blog
Microsoft Security Blog
N
Netflix TechBlog - Medium
I
InfoQ
云风的 BLOG
云风的 BLOG
量子位
D
Docker
D
DataBreaches.Net
Vercel News
Vercel News
Blog — PlanetScale
Blog — PlanetScale
宝玉的分享
宝玉的分享
V
V2EX
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Y
Y Combinator Blog
美团技术团队
小众软件
小众软件
阮一峰的网络日志
阮一峰的网络日志
博客园 - 聂微东
B
Blog RSS Feed
MyScale Blog
MyScale Blog
月光博客
月光博客
T
The Blog of Author Tim Ferriss
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
M
MIT News - Artificial intelligence
U
Unit 42
Google DeepMind News
Google DeepMind News

Scott Helme

Top 1 Million Analysis – June 2026: The State of Crypto Top 1 Million Analysis – June 2026: Ten Years of Web Security A dead CDN, a wildcard, and an attack waiting to happen: the netdna-ssl.com takeover Why No Passkeys? Naming the Top Sites That Still Don't Support Them The Instructure Canvas Breach (2026): How XSS in a Support Ticket Compromised 275 Million Students Open-Sourcing dbsc-php: a Server Library for Device Bound Session Credentials in PHP DBSC Beta at Report URI Device Bound Session Credentials: Making Stolen Cookies Useless Passkeys, Permissions Policy and Bug Hunting in 1Password's WebAuthn Wrapper Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None Passkeys 101: An Introduction to Passkeys and How They Work Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive Under Attack: Responding to the Rise of Info-Stealer Threats Security considerations when using Passkeys on your website Fighting an active Magecart Campaign Amazing Refresh — A Malicious Chrome Extension Running Malware in the Browser Bringing in the experts; Having our Passkeys implementation Security Tested Launching Passkeys support on Report URI! 🗝️ When “One in a Billion” Happens Every Day: Scaling Redis at Report URI Leverage our treasure trove of Threat Intelligence data XSS Ranked #1 Top Threat of 2025 by MITRE and CISA DNS-PERSIST-01; Handling Domain Control Validation in a short-lived certificate World
Connection Allowlist: a network firewall, built into the browser
https://www.facebook.com/scott.helme · 2026-07-09 · via Scott Helme

Connection Allowlist is a new browser security mechanism that lets a document declare, up front, the exact set of destinations it's permitted to open network connections to. Anything not on the list is blocked by the browser before the connection leaves the machine. It's currently a WICG proposal (repo here) running as a Chrome origin trial, and Report URI now collects the violation reports it emits.

This post covers how the mechanism works, how it differs from CSP, and the shape of the reports.

What it does

Before any outbound connection is established, the browser checks the destination against the allowlist. If it doesn't match, the connection is blocked at the network layer. This applies regardless of what initiated the connection — the policy is a property of the document, not of the code running in it.

The connection types covered are deliberately broad: fetch()/XHR, subresource requests, WebSocket, WebTransport, DNS prefetch, preload, navigations, redirects and WebRTC are all evaluated against the same list.

Connection-Allowlist: (response-origin "https://cdn.example.com" "https://api.example.com/*")

Two categories get a stricter default and their own parameters:

  • Redirects are blocked by default. The reasoning in the spec is that once a
    request has left the client, the server it went to controls where it's
    redirected next, so a matching initial URL is no guarantee. You opt back in
    with redirects=allow.
  • WebRTC is blocked by default (webrtc=block), because peer connections
    use dynamic endpoint discovery that URL patterns can't meaningfully describe.
    webrtc=allow permits it.

Local schemes (data:, about:) bypass the check. The mechanism only governs network communication — it does nothing about content injection or XSS. It's a containment control: it limits where an already-running script can send data, not whether that script can run.

How this differs from CSP

Content Security Policy can already restrict many outbound connections, with features like connect-src, form-action and others, so it's worth clarifying how Connection Allowlist differs.

Simply put, Connection Allowlist incorporates all outbound connections without the need for an extensive set of directives that would be required in CSP, and some of which you can't currently exert control over. Any outbound connection from the page is in scope. Period.

The two mechanisms complement each other rather than compete. CSP remains the right control for deciding which scripts, styles, images, frames and other resources a page is allowed to load and execute, while Connection Allowlist adds a broader network boundary around where that page can communicate. Used together, CSP helps prevent untrusted code and content from entering the page in the first place, and Connection Allowlist limits the damage if malicious code does run by further restricting where it can send data. For sensitive applications, the strongest position is to deploy both: CSP for content and execution control, and Connection Allowlist for outbound network containment.

Reports

As with any powerful feature, you're going to want to test this before you deploy, and for that, we have the typical format of Report-Only header.

Connection-Allowlist-Report-Only: (response-origin "https://api.example.com/*"); report-to=default

Violations are delivered through the Reporting API to the endpoint named by the report-to group. The report type is connection-allowlist and the body identifies the destination that was blocked:

{
  "type": "connection-allowlist",
  "body": {
    "url": "https://report-uri.com/account",
    "connection": "https://blocked.example/collect.js",
    "allowlist": ["https://api.example.com/*"],
    "disposition": "report"
  }
}

connection is the destination that tripped the policy, allowlist is the
declared policy, disposition is enforce or report, and url is the page that the browser was visiting when this happened.

Report-only is how you deploy this without the risk of breaking anything: serve it, collect what your pages actually connect to, refine the allowlist until it's clean, then switch to the enforcing header. During the origin trial, reporting is limited to document contexts — dedicated, shared and service workers aren't covered yet.

Availability

The feature is a Chrome origin trial (announcement) running from Chrome 148 to 151, after which Chrome will assess whether the feature is ready to progress towards shipping.

Report URI collects Connection Allowlist reports already, currently behind a beta flag. It works the same way as the existing browser report types: point the
report-to group of your Connection-Allowlist-Report-Only header at your Report URI group and the reports land on a Connection Allowlist reports page, showing the page URL, the blocked connection, the enforce/report-only disposition, the raw report and counts.

If you'd like to join to the beta, please reach out to support@ and we'll add your account.


Have you enjoyed this post or found it helpful?
☕️ Consider buying me a coffee to say thanks!
🔔 Subscribe for free notifications when I publish!
🤩 Become a member and support my content!

Tags: Connection Allowlist, 1.1.1.1