惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Stack Overflow Blog
Stack Overflow Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
H
Hacker News: Front Page
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Attack and Defense Labs
Attack and Defense Labs
H
Heimdal Security Blog
S
Securelist
S
Secure Thoughts
N
News and Events Feed by Topic
T
The Exploit Database - CXSecurity.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Last Week in AI
Last Week in AI
The Last Watchdog
The Last Watchdog
N
News | PayPal Newsroom
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
IT之家
IT之家
宝玉的分享
宝玉的分享
有赞技术团队
有赞技术团队
O
OpenAI News
V
Vulnerabilities – Threatpost
S
Schneier on Security
Cyberwarzone
Cyberwarzone
雷峰网
雷峰网
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
J
Java Code Geeks
Google DeepMind News
Google DeepMind News
The Cloudflare Blog
美团技术团队
人人都是产品经理
人人都是产品经理
T
The Blog of Author Tim Ferriss
T
Tor Project blog
P
Privacy International News Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Google DeepMind News
Google DeepMind News
S
Security @ Cisco Blogs
Project Zero
Project Zero
Security Archives - TechRepublic
Security Archives - TechRepublic
Schneier on Security
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Proofpoint News Feed
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
aimingoo的专栏
aimingoo的专栏
L
LINUX DO - 热门话题
V
V2EX
Blog — PlanetScale
Blog — PlanetScale
www.infosecurity-magazine.com
www.infosecurity-magazine.com
U
Unit 42

developer.chrome.com: Blog

A developer toolkit to make your website agent-ready  |  Blog  |  Chrome for Developers Unlock runtime insights: Introducing third-party developer tools for Chrome DevTools for agents  |  Blog  |  Chrome for Developers What's New in WebGPU (Chrome 149-150)  |  Blog  |  Chrome for Developers Join the WebMCP origin trial  |  Blog  |  Chrome for Developers Seamless PWA origin migration: Change domains without losing users  |  Blog  |  Chrome for Developers Chrome 150 beta  |  Blog  |  Chrome for Developers New in Chrome 149  |  Blog  |  Chrome for Developers What's new in DevTools (Chrome 149)  |  Blog  |  Chrome for Developers Build new features using built-in AI in Chrome  |  Blog  |  Chrome for Developers What's new in web extensions: I/O 2026 recap  |  Blog  |  Chrome for Developers New in Chrome at Google I/O 2026  |  Blog  |  Chrome for Developers Modernize authentication with passkeys, digital credentials, and more  |  Blog  |  Chrome for Developers 15 updates from Google I/O 2026: Powering the agentic web with new capabilities, tools, and features in Chrome  |  Blog  |  Chrome for Developers Streamline your AI coding workflow with Chrome DevTools for agents 1.0  |  Blog  |  Chrome for Developers Declarative partial updates  |  Blog  |  Chrome for Developers Introducing the HTML-in-Canvas API origin trial  |  Blog  |  Chrome for Developers Gap decorations: Now available in Chromium  |  Blog  |  Chrome for Developers Streamlined sign-in: Immediate UI mode is now available  |  Blog  |  Chrome for Developers Install web apps with the new HTML install element | Blog | Chrome for Developers Chrome 149 beta | Blog | Chrome for Developers New in Chrome 148 | Blog | Chrome for Developers What's new in DevTools (Chrome 148) | Blog | Chrome for Developers Container Timing origin trial | Blog | Chrome for Developers Empower your team with expanded roles in the Developer Dashboard | Blog | Chrome for Developers Localization support for web app manifests | Blog | Chrome for Developers Unlock Structured Clone for Chrome Extension Messaging | Blog | Chrome for Developers What's New in WebGPU (Chrome 147-148) | Blog | Chrome for Developers Final Soft Navigations origin trial starting in Chrome 147 | Blog | Chrome for Developers Improved Japanese phonetic name support in Chrome autofill  |  Blog  |  Chrome for Developers Take our course about AI evaluations  |  Blog  |  Chrome for Developers Chrome 148 beta | Blog | Chrome for Developers Chrome Web Store: A smarter, faster appeals process | Blog | Chrome for Developers New in Chrome 147 | Blog | Chrome for Developers What's new in DevTools (Chrome 147) | Blog | Chrome for Developers Chrome 147 enables concurrent and nested view transitions with element-scoped view transitions | Blog | Chrome for Developers Enter video Picture-in-Picture automatically on more sites | Blog | Chrome for Developers When to use WebMCP and MCP | Blog | Chrome for Developers Chrome 147 beta | Blog | Chrome for Developers New in Chrome 146 | Blog | Chrome for Developers What's new in DevTools (Chrome 146) | Blog | Chrome for Developers
Connection Allowlists origin trial: Secure your web application's network  |  Blog  |  Chrome for Developers
2026-04-16 · via developer.chrome.com: Blog
Skip to main content

Connection Allowlists origin trial: Secure your web application's network

José Luis Zapata

Published: April 16, 2026

Because web applications become more complex, especially with the rise of integrated Generative AI, protecting user data is a top priority. That's why we are announcing the origin trial for Connection Allowlists, a new security mechanism that creates a network sandbox for documents and workers.

Background

In a modern web ecosystem, sensitive data constantly moves between clients and servers. This mobility, combined with a complex supply chain of third-party scripts and the rise of dynamically generated code from generative AI, significantly increases the risk of data exfiltration.

Malicious scripts, vulnerabilities in bundled libraries, or unintended behaviors in generative AI-generated code can bypass application-level checks to send sensitive information to unauthorized endpoints. While Content Security Policy (CSP) is a powerful tool for controlling what a page can load and execute, managing its complexity to specifically restrict where a page communicates can be challenging. This often leads to broad policies that leave room for unauthorized network activity.

Connection Allowlists provide a direct method to address these risks by making the browser the gatekeeper of all network connections originating from your page. By including the Connection-Allowlist HTTP response header, a site specifies the exact URL patterns permitted for all network communication initiated by its context, such as a document or a web worker.

This feature enforces a framework-level "deny-by-default" firewall. Before any connection is established, for example, a subresource fetch, a navigation redirect, or a WebSocket connection, the browser verifies the destination against the allowlist. If the endpoint does not match, the browser blocks the connection at the network level. The browser maintains network boundaries even if malicious code attempts to bypass application-level logic.

How Connection Allowlists work

Connection Allowlists provide a direct method to address these risks by making the browser the gatekeeper of all network connections originating from your page. By including the Connection-Allowlist HTTP response header, a site specifies the exact URL patterns permitted for all network communication initiated by its context. For the origin trial, this is supported for document contexts only.

Before any connection is established, for example, a subresource fetch, a navigation redirect, or a WebSocket connection, the browser verifies the destination against the allowlist. If the endpoint does not match, the browser blocks the connection at the network level. This ensures that network boundaries are maintained even if malicious code attempts to bypass application-level logic.

Use the response-origin token

You can use the response-origin token, which dynamically adds the origin from which the response is served to the allowlist:

Connection-Allowlist: ("https://api.example.com/*" response-origin)

In this example, the page can connect to any path on its origin and the specified API endpoint.

Report violations

To monitor potential issues without disrupting your site's functionality, you can use the Connection-Allowlist-Report-Only header. This variant parses the policy and sends violation reports to a specified endpoint using the Reporting API.

Connection-Allowlist: ("https://trusted.com/*"); report-to=security-endpoint

Key use cases

Connection Allowlists are useful for high-security or dynamic environments:

  • Generative AI and untrusted code: If your site lets users execute generated or untrusted code, for example, in Sheets Canvas or development sandboxes, Connection Allowlists can prevent the code from exfiltrating data to external domains.
  • Third-party oversight: You can ensure that even if a third-party script is compromised, it cannot send data to unauthorized servers.
  • Architectural safeguards: Enforce a strict network boundary for sensitive parts of your application, ensuring communication only with approved backends.

Differences from Content Security Policy

While Connection Allowlists and CSP have similar goals, they are complementary:

  • Network-level focus: Connection Allowlists focus on the destination of network connections, rather than how a resource is loaded or executed.
  • Comprehensive coverage: It covers navigations, redirects, and various web platform APIs, for example, Fetch, WebRTC, WebTransport, DNS prefetch, and preload, in a unified manner.
  • Simplified syntax: Connection Allowlists focus on a single task, which simplifies configuration and security auditing.

Experiment with Connection Allowlists

The Connection Allowlists feature is available for local testing. The origin trial is scheduled to run from Chrome 148 to Chrome 151. Functionality continues to be added as the origin trial progresses. At the start of this trial, the reporting functionality is limited to document contexts; Dedicated, Shared, and Service Workers are not supported. More details on what is supported is in the Register for the origin trial section.

Test locally

  1. Enable the flag: Open Chrome and navigate to chrome://flags/#connection-allowlist. Set the flag to Enabled.
  2. Deploy the header: Configure your local development server to send the Connection-Allowlist HTTP response header. For example, Connection-Allowlist: ("https://api.example.com/*" response-origin).
  3. Verify with DevTools: Open Chrome DevTools and perform actions that trigger network requests.
    • Network panel: Check for requests that are "blocked:other" or show a connection error.
    • Issues tab: Look for detailed reports if there were any parsing errors in your header.

Register for the origin trial

While local testing is great for development, you'll need to register for the origin trial to enable Connection Allowlists for your users in production.

  1. Navigate to the Chrome origin trials dashboard.
  2. Find the Connection Allowlists origin trial and click Register.
  3. Add the generated token to your site's pages or headers as described in the Get started with origin trials guide.

The origin trial is scheduled to run from Chrome 148 to Chrome 151. Functionality continues to be added as the origin trial progresses, so you are strongly encouraged to continue to use your existing web-security mechanisms while testing Connection Allowlists. The Intent to Experiment further details the network endpoints covered by Connection Allowlists implementation.

Provide feedback

Provide feedback on the feature's design and utility. If you encounter issues or have suggestions for improvements, contact the team:

Additional resources

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-04-16 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2026-04-16 UTC."],[],[]]