Chrome is launching an origin trial for Connection Allowlists, a new browser-level security mechanism that creates a network sandbox for web documents and workers. By setting the `Connection-Allowlist` HTTP response header, developers can specify exact URL patterns allowed for all outbound network connections — including fetches, navigations, redirects, WebSockets, and more. The browser enforces a deny-by-default firewall at the network level, blocking any connection not on the allowlist even if malicious code tries to bypass application logic. This complements CSP by focusing specifically on connection destinations rather than resource loading. The origin trial runs from Chrome 148 to 151, with a report-only mode available for monitoring violations without blocking. Key use cases include sandboxing generative AI-generated code, protecting against compromised third-party scripts, and enforcing strict network boundaries for sensitive application areas.
Table of contents
BackgroundConnection Allowlists sandboxHow Connection Allowlists workKey use casesDifferences from Content Security PolicyExperiment with Connection AllowlistsProvide feedbackAdditional resourcesSort: