Re: [w3ctag/design-reviews] Incubation: Connection Allowlists (Issue #1173) from Ehsan Toreini on 2026-02-09 (public-webapps-github@w3.org from February 2026)

From: Ehsan Toreini <notifications@github.com>
Date: Mon, 09 Feb 2026 06:44:42 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1173/3872015643@github.com>

toreini left a comment (w3ctag/design-reviews#1173)

Hi @mikewest,

The goal looks good, and the proposal is generally sensible, but we have several concerns:

* There is no position from other stakeholder. We encourage you discuss it with them to clarify their position.
* The explainer or the spec could contain more examples to show more explicitly the interactions.
* Regarding reporting, could it be possible to explain the context of the connection? The explainer, [point 3 in justification for this spec, mentions CSP does not cover DNS prefetch, WebRTC](https://github.com/WICG/connection-allowlists/?tab=readme-ov-file#why-build-this-when-we-already-have-content-security-policy) (most probably WebTransport and WebSocket as well) in the threat model. Would it be possible to log the intended usage of this protocols in the report?
* You have pointed out there are plenty of possible side channels. TAG agrees with that; however, we suggest the proponents address a couple of the more important ones. We pointed the following: Is there any noticeable distinctive behaviour in parsing allow-list compared to (1) the CSP permission model (2) the various communication protocols in origins (regarding a range of side channels, including timing, CPU allocation, memory tracing and caching)?
* TAG could not find any point you discuss the private mode behaviour. We want to double-check that you're not planning for this feature to behave differently in private mode. (As per [web platforms design principles (section 2.9)](https://www.w3.org/TR/design-principles/#do-not-expose-use-of-private-browsing-mode))
* Potential leak: TAG acknowledges the single-origin feature of this spec as "A document's (or worker's) asserted policy governs only requests initiated by that context. If a framed document asserts a distinct policy, so be it". However, there is a question about possible leaks via the reporting system. If the reporting endpoint is malicious, cross-origin data could be exfiltrated by generating blocked URLs containing said data and sending reports via the reportingAPIEndpoint. Can you please elaborate on that?
* Is there any evidence that average developers (not just sophisticated developers) actually want to use this spec?

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1173#issuecomment-3872015643
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1173/3872015643@github.com>

Received on Monday, 9 February 2026 14:44:46 UTC