[w3ctag/design-reviews] Incubation: Connection Allowlists (Issue #1173) from Mike West on 2025-11-25 (public-webapps-github@w3.org from November 2025)

From: Mike West <notifications@github.com>
Date: Tue, 25 Nov 2025 03:46:33 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1173@github.com>

mikewest created an issue (w3ctag/design-reviews#1173)

### Explainer

https://github.com/WICG/connection-allowlists/

### The explainer

- [x] Includes the information requested by the [Explainer Explainer](https://w3ctag.github.io/explainer-explainer/#introduction).
- [x] Follows the [Web Platform Design Principles](https://www.w3.org/TR/design-principles/).
- [ ] Includes or links to answers to the [Security/Privacy Questionnaire](https://www.w3.org/TR/security-privacy-questionnaire/).
- [ ] Describes user research you did to validate the problem and/or design.

### Where and by whom is the work is being done?

- GitHub repo: https://github.com/WICG/connection-allowlists
- Draft spec: https://wicg.github.io/connection-allowlists/
- Primary contacts:
  - @mikewest
- Organization/project driving the design: Chrome.
- This work is being funded by: Google.
- Incubation and standards groups that have discussed the design:
  - WebAppSec ([TPAC 2025 minutes](https://github.com/w3c/webappsec/blob/main/meetings/2025/2025-11-TPAC-minutes.md#exfiltration-connection-allowlists-csp)
  - https://github.com/WICG/proposals/issues/235
- Standards group(s) that you expect to discuss and/or adopt this work when it's
  ready: WebAppSec WG seems a likely target.


### Feedback so far

- Multi-stakeholder feedback:
  - Chromium comments: 👍 
  - Mozilla comments: https://github.com/mozilla/standards-positions/issues/1322
  - WebKit comments: https://github.com/WebKit/standards-positions/issues/583
- Major unresolved issues with or opposition to this design:
  - https://wicg.github.io/connection-allowlists/#security points to some open questions, as does https://wicg.github.io/connection-allowlists/#overlap-with-csp.

### You should also know that...

There's somewhat-related background about my general desire to break CSP in half in https://github.com/WICG/csp-next/.

<!-- Content below this is maintained by @w3c-tag-bot -->
---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1173


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1173
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1173@github.com>

Received on Tuesday, 25 November 2025 11:46:37 UTC