[Connection-Allowlist] Set up Origin Trial for workers. [chromium/src : main]
0 views
Skip to first unread message
Andrew Verge (Gerrit)
Mar 30, 2026, 4:37:17 PM (5 days ago) Mar 30
to Xiaochen Zhou, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Andrew Verge
Message from Andrew Verge![]( "Open in Gerrit")
Set Ready For Review
Related details
Attention is currently required from:
- Andrew Verge
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Shivani Sharma (Gerrit)
Mar 30, 2026, 6:33:46 PM (5 days ago) Mar 30
to Andrew Verge, Xiaochen Zhou, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Andrew Verge and Xiaochen Zhou
Shivani Sharma voted and added 1 comment![]( "Open in Gerrit")
Votes added by Shivani Sharma
| Code-Review | +1 |
1 comment
Patchset-level comments
Related details
Attention is currently required from:
- Andrew Verge
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Mar 31, 2026, 10:04:41 AM (4 days ago) Mar 31
to Xiaochen Zhou, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Dominic Farolino, Xiaochen Zhou and Yoshisato Yanagisawa
Andrew Verge voted and added 1 comment![]( "Open in Gerrit")
Votes added by Andrew Verge
| Commit-Queue | +1 |
1 comment
Patchset-level comments
Andrew Verge . resolved
Adding alexmos@ for content/browser OWNERS
Adding yyanagisawa@ for content/browser/worker_host OWNERS
Adding dom@ for VirtualTestSuites OWNERS
Related details
Attention is currently required from:
- Alex Moshchuk
- Dominic Farolino
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Yoshisato Yanagisawa (Gerrit)
Apr 1, 2026, 6:07:05 AM (3 days ago) Apr 1
to Andrew Verge, Xiaochen Zhou, Alex Moshchuk, Dominic Farolino, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, Dominic Farolino and Xiaochen Zhou
Yoshisato Yanagisawa added 2 comments![]( "Open in Gerrit")
File content/browser/worker_host/worker_script_fetcher.cc
Line 179, Patchset 7 (Latest):
network::features::kConnectionAllowlists)) {Yoshisato Yanagisawa . unresolved
Does this mean the feature should be enabled to run the origin trials? It sounds different from the usual OT?
File third_party/blink/web_tests/wpt_internal/connection-allowlist/resources/origin-trial-token.txt
Line 13, Patchset 7 (Latest):
/google/cog/cloud/averge/workerot/chromium/tools/origin_trials/generate_token.py:307: DeprecationWarning: datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.fromtimestamp(timestamp, datetime.UTC).Yoshisato Yanagisawa . unresolved
Is it intended to share the deprecation message here?
Related details
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
- Dominic Farolino
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Shivani Sharma (Gerrit)
Apr 1, 2026, 7:33:45 AM (3 days ago) Apr 1
to Andrew Verge, Xiaochen Zhou, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, Dominic Farolino and Xiaochen Zhou
Shivani Sharma voted and added 1 comment![]( "Open in Gerrit")
Votes added by Shivani Sharma
| Code-Review | +1 |
1 comment
Patchset-level comments
File-level comment, Patchset 7 (Latest):
Shivani Sharma . unresolved
In this CL, can we also enable the original feature flag by default, since the OT gates both documents and workers after this CL?
Andrew Verge (Gerrit)
Apr 1, 2026, 1:52:55 PM (3 days ago) Apr 1
to Xiaochen Zhou, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Dominic Farolino, Shivani Sharma, Xiaochen Zhou and Yoshisato Yanagisawa
Andrew Verge added 3 comments![]( "Open in Gerrit")
Patchset-level comments
In this CL, can we also enable the original feature flag by default, since the OT gates both documents and workers after this CL?
Andrew Verge
Done.
File content/browser/worker_host/worker_script_fetcher.cc
Line 179, Patchset 7:
network::features::kConnectionAllowlists)) {Yoshisato Yanagisawa . unresolved
Does this mean the feature should be enabled to run the origin trials? It sounds different from the usual OT?
Andrew Verge
Yes, this is different than the usual OT. See explanation here and associated CL in blame: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/runtime_enabled_features.json5;drc=289a7de98482b2a42af44d68c70e06f76a9b036b;l=1296
The complexity comes from the fact that Connection-Allowlist is implemented entirely in the browser/network service and needs to take effect before a response is sent to the renderer, when OT status is normally propagated.
This base::Feature will be default-enabled and used as a killswitch (see Shivani's comment below about flipping the flag in this CL). For the duration of the OT, we'll use the OT token header or a separate OT override flag to determine whether to actually populate the Connection-Allowlist or not.
CC @xiaoc...@chromium.org in case I missed anything here.
File third_party/blink/web_tests/wpt_internal/connection-allowlist/resources/origin-trial-token.txt
Line 13, Patchset 7:
/google/cog/cloud/averge/workerot/chromium/tools/origin_trials/generate_token.py:307: DeprecationWarning: datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.fromtimestamp(timestamp, datetime.UTC).Yoshisato Yanagisawa . resolved
Is it intended to share the deprecation message here?
Attention is currently required from:
- Alex Moshchuk
- Dominic Farolino
- Shivani Sharma
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Shivani Sharma (Gerrit)
Apr 1, 2026, 1:55:21 PM (3 days ago) Apr 1
to Andrew Verge, Xiaochen Zhou, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, Dominic Farolino, Xiaochen Zhou and Yoshisato Yanagisawa
Shivani Sharma voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
- Dominic Farolino
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 1, 2026, 3:03:14 PM (3 days ago) Apr 1
to Xiaochen Zhou, Kenichi Ishibashi, Shivani Sharma, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Dominic Farolino, Kenichi Ishibashi, Xiaochen Zhou and Yoshisato Yanagisawa
Andrew Verge added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 8 (Latest):
Andrew Verge . resolved
Adding bashi@ for network service features OWNERS
Related details
Attention is currently required from:
- Alex Moshchuk
- Dominic Farolino
- Kenichi Ishibashi
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Shivani Sharma (Gerrit)
Apr 1, 2026, 3:04:54 PM (3 days ago) Apr 1
to Andrew Verge, Xiaochen Zhou, Kenichi Ishibashi, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, Dominic Farolino, Kenichi Ishibashi, Xiaochen Zhou and Yoshisato Yanagisawa
Shivani Sharma added 1 comment![]( "Open in Gerrit")
Commit Message
Line 10, Patchset 8 (Latest):
to ensure that worker content is also aware of the OT token.Shivani Sharma . unresolved
Let's mention that the feature flag is also enabled as part of this change
Related details
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
Andrew Verge (Gerrit)
Apr 1, 2026, 3:21:15 PM (3 days ago) Apr 1
to Xiaochen Zhou, Kenichi Ishibashi, Shivani Sharma, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Dominic Farolino, Kenichi Ishibashi, Xiaochen Zhou and Yoshisato Yanagisawa
Andrew Verge added 1 comment![]( "Open in Gerrit")
Commit Message
Line 10, Patchset 8:
to ensure that worker content is also aware of the OT token.Shivani Sharma . resolved
Let's mention that the feature flag is also enabled as part of this change
Attention is currently required from:
- Alex Moshchuk
- Dominic Farolino
- Kenichi Ishibashi
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Kenichi Ishibashi (Gerrit)
Apr 1, 2026, 8:29:59 PM (3 days ago) Apr 1
to Andrew Verge, Xiaochen Zhou, Shivani Sharma, Alex Moshchuk, Yoshisato Yanagisawa, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, Dominic Farolino, Xiaochen Zhou and Yoshisato Yanagisawa
Kenichi Ishibashi voted and added 1 comment![]( "Open in Gerrit")
Votes added by Kenichi Ishibashi
| Code-Review | +1 |
1 comment
Patchset-level comments
Related details
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
- Dominic Farolino
- Xiaochen Zhou
- Yoshisato Yanagisawa
Alex Moshchuk (Gerrit)
Apr 1, 2026, 10:15:07 PM (3 days ago) Apr 1
to Andrew Verge, Xiaochen Zhou, Kenichi Ishibashi, Shivani Sharma, Yoshisato Yanagisawa, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Andrew Verge, Dominic Farolino, Xiaochen Zhou and Yoshisato Yanagisawa
Alex Moshchuk voted and added 2 comments![]( "Open in Gerrit")
Votes added by Alex Moshchuk
| Code-Review | +1 |
2 comments
Patchset-level comments
Alex Moshchuk . resolved
non-worker content/browser bits LGTM
File content/browser/connection_allowlist_gating.h
Line 19, Patchset 9 (Latest):
bool ResponseContainsConnectionAllowlist(
const network::mojom::URLResponseHead* response_head);
// Returns true if the response enables connection allowlist origin trial.
bool ResponseEnablesConnectionAllowlistsOriginTrial(Alex Moshchuk . unresolved
Optional: It seems that both of these are always called together in all current use cases, and there seems to be an assumption that the second one is always called before the first one (e.g., the first one checks for null response_head, and the second one assumes the headers are non-null). Would it be simpler to just have one helper function that does both checks? (I.e., the origin trial checks would be incorporated into ResponseContainsConnectionAllowlist?) Not sure if it makes with how you plan on using these going forward, though.
Related details
Attention is currently required from:
Yoshisato Yanagisawa (Gerrit)
Apr 2, 2026, 2:19:49 AM (3 days ago) Apr 2
to Andrew Verge, Xiaochen Zhou, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Andrew Verge, Dominic Farolino and Xiaochen Zhou
Yoshisato Yanagisawa voted and added 2 comments![]( "Open in Gerrit")
Votes added by Yoshisato Yanagisawa
| Code-Review | +1 |
2 comments
Patchset-level comments
Yoshisato Yanagisawa . resolved
lgtm
File content/browser/worker_host/worker_script_fetcher.cc
Line 179, Patchset 7:
network::features::kConnectionAllowlists)) {Yoshisato Yanagisawa . resolved
Andrew VergeDoes this mean the feature should be enabled to run the origin trials? It sounds different from the usual OT?
Yes, this is different than the usual OT. See explanation here and associated CL in blame: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/runtime_enabled_features.json5;drc=289a7de98482b2a42af44d68c70e06f76a9b036b;l=1296
The complexity comes from the fact that Connection-Allowlist is implemented entirely in the browser/network service and needs to take effect before a response is sent to the renderer, when OT status is normally propagated.
This base::Feature will be default-enabled and used as a killswitch (see Shivani's comment below about flipping the flag in this CL). For the duration of the OT, we'll use the OT token header or a separate OT override flag to determine whether to actually populate the Connection-Allowlist or not.
CC @xiaoc...@chromium.org in case I missed anything here.
Yoshisato Yanagisawa
Acknowledged
Related details
Attention is currently required from:
- Andrew Verge
- Dominic Farolino
- Xiaochen Zhou
Andrew Verge (Gerrit)
Apr 2, 2026, 10:18:36 AM (2 days ago) Apr 2
to Xiaochen Zhou, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Dominic Farolino, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Dominic Farolino and Xiaochen Zhou
Andrew Verge added 1 comment![]( "Open in Gerrit")
File content/browser/connection_allowlist_gating.h
Line 19, Patchset 9 (Latest):
bool ResponseContainsConnectionAllowlist(
const network::mojom::URLResponseHead* response_head);
// Returns true if the response enables connection allowlist origin trial.
bool ResponseEnablesConnectionAllowlistsOriginTrial(Alex Moshchuk . resolved
Optional: It seems that both of these are always called together in all current use cases, and there seems to be an assumption that the second one is always called before the first one (e.g., the first one checks for null response_head, and the second one assumes the headers are non-null). Would it be simpler to just have one helper function that does both checks? (I.e., the origin trial checks would be incorporated into ResponseContainsConnectionAllowlist?) Not sure if it makes with how you plan on using these going forward, though.
Andrew Verge
I think because of the weird caveats required for running this feature's OT, keeping the OT-specific behavior in its own function will make it easier to disentangle and clean up after the trial is finished.
Related details
Attention is currently required from:
- Dominic Farolino
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 2, 2026, 12:40:00 PM (2 days ago) Apr 2
to Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from David Baron and Xiaochen Zhou
New activity on the change![]( "Open in Gerrit")
Related details
Attention is currently required from:
- David Baron
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 2, 2026, 12:41:40 PM (2 days ago) Apr 2
to Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from David Baron and Xiaochen Zhou
Andrew Verge added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 10 (Latest):
Andrew Verge . resolved
Adding dbaron@ for VirtualTestSuites OWNERS approval.
Related details
Attention is currently required from:
- David Baron
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
David Baron (Gerrit)
Apr 2, 2026, 12:58:11 PM (2 days ago) Apr 2
to Andrew Verge, Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Andrew Verge and Xiaochen Zhou
David Baron voted and added 3 comments![]( "Open in Gerrit")
Votes added by David Baron
| Code-Review | +1 |
3 comments
Patchset-level comments
David Baron . resolved
`VirtualTestSuites` LGTM, with a few questions
File third_party/blink/web_tests/VirtualTestSuites
Line 326, Patchset 10 (Latest):
"owners": [ "mk...@chromium.org" ],David Baron . unresolved
should one of the folks on this CL be an additional owner here?
Line 333, Patchset 10 (Latest):
"expires": "Jul 1, 2026"David Baron . unresolved
that's a relatively short expiration (just under a calendar quarter). Do you want a few quarters more than that before it bugs you?
Related details
Attention is currently required from:
- Andrew Verge
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 2, 2026, 1:12:03 PM (2 days ago) Apr 2
to Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Xiaochen Zhou
Andrew Verge added 3 comments![]( "Open in Gerrit")
File third_party/blink/web_tests/VirtualTestSuites
Line 326, Patchset 10:
"owners": [ "mk...@chromium.org" ],David Baron . unresolved
should one of the folks on this CL be an additional owner here?
Andrew Verge
Added Shivani as an owner of this suite ()
should one of the folks on this CL be an additional owner here?
Andrew Verge
Added Shivani to owners (on this suite and the one above it, since they are both Connection-Allowlist related).
that's a relatively short expiration (just under a calendar quarter). Do you want a few quarters more than that before it bugs you?
Attention is currently required from:
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 2, 2026, 1:12:37 PM (2 days ago) Apr 2
to Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Xiaochen Zhou
Andrew Verge added 1 comment![]( "Open in Gerrit")
File third_party/blink/web_tests/VirtualTestSuites
Line 326, Patchset 10:
"owners": [ "mk...@chromium.org" ],David Baron . resolved
Andrew Vergeshould one of the folks on this CL be an additional owner here?
Andrew VergeAdded Shivani as an owner of this suite ()
Marked as resolved.
Related details
Attention is currently required from:
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 2, 2026, 1:13:32 PM (2 days ago) Apr 2
to Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Xiaochen Zhou
Andrew Verge voted Commit-Queue+2![]( "Open in Gerrit")
| Commit-Queue | +2 |
Related details
Attention is currently required from:
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 2, 2026, 3:51:55 PM (2 days ago) Apr 2
to Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Shivani Sharma, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, David Baron, Kenichi Ishibashi, Shivani Sharma, Xiaochen Zhou and Yoshisato Yanagisawa
Andrew Verge added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 13 (Latest):
Andrew Verge . resolved
@shiva...@chromium.org @ba...@chromium.org I had to make one network service change to unbreak a few tests when syncing to latest head. PTAL, thanks!
Related details
Attention is currently required from:
- Alex Moshchuk
- David Baron
- Kenichi Ishibashi
- Shivani Sharma
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Shivani Sharma (Gerrit)
Apr 2, 2026, 4:06:11 PM (2 days ago) Apr 2
to Andrew Verge, Xiaochen Zhou, David Baron, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, David Baron, Kenichi Ishibashi, Xiaochen Zhou and Yoshisato Yanagisawa
Shivani Sharma voted and added 2 comments![]( "Open in Gerrit")
Votes added by Shivani Sharma
| Code-Review | +1 |
2 comments
Patchset-level comments
Shivani Sharma . resolved
slgtm, thanks!
File services/network/network_context.cc
Line 3775, Patchset 13 (Latest):
// Note that the network_revocation_exemptions_ check below which was addedShivani Sharma . unresolved
minor nit: above
Related details
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
- David Baron
- Kenichi Ishibashi
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
David Baron (Gerrit)
Apr 2, 2026, 4:22:35 PM (2 days ago) Apr 2
to Andrew Verge, Xiaochen Zhou, David Baron, Shivani Sharma, Yoshisato Yanagisawa, Alex Moshchuk, Kenichi Ishibashi, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, Kenichi Ishibashi, Xiaochen Zhou and Yoshisato Yanagisawa
David Baron voted and added 1 comment![]( "Open in Gerrit")
Votes added by David Baron
| Code-Review | +1 |
1 comment
Patchset-level comments
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
Kenichi Ishibashi (Gerrit)
Apr 2, 2026, 7:48:58 PM (2 days ago) Apr 2
to Andrew Verge, Xiaochen Zhou, David Baron, Shivani Sharma, Yoshisato Yanagisawa, Alex Moshchuk, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge, Xiaochen Zhou and Yoshisato Yanagisawa
Kenichi Ishibashi voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 2, 2026, 8:17:07 PM (2 days ago) Apr 2
to Xiaochen Zhou, Kenichi Ishibashi, David Baron, Shivani Sharma, Yoshisato Yanagisawa, Alex Moshchuk, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Xiaochen Zhou and Yoshisato Yanagisawa
Andrew Verge added 1 comment![]( "Open in Gerrit")
File services/network/network_context.cc
Line 3775, Patchset 13:
// Note that the network_revocation_exemptions_ check below which was addedShivani Sharma . resolved
Andrew Vergeminor nit: above
Done
Related details
Attention is currently required from:
- Alex Moshchuk
- Xiaochen Zhou
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Yoshisato Yanagisawa (Gerrit)
Apr 3, 2026, 12:25:26 AM (yesterday) Apr 3
to Andrew Verge, Xiaochen Zhou, Kenichi Ishibashi, David Baron, Shivani Sharma, Alex Moshchuk, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge and Xiaochen Zhou
Yoshisato Yanagisawa voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Shivani Sharma (Gerrit)
Apr 3, 2026, 10:39:11 AM (yesterday) Apr 3
to Andrew Verge, Xiaochen Zhou, Yoshisato Yanagisawa, Kenichi Ishibashi, David Baron, Alex Moshchuk, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk, Andrew Verge and Xiaochen Zhou
Shivani Sharma voted and added 2 comments![]( "Open in Gerrit")
Votes added by Shivani Sharma
| Code-Review | +1 |
2 comments
File services/network/network_context.cc
Line 3781, Patchset 15 (Latest):
// 1-2 milestones.Line 3802, Patchset 15 (Latest):
return !patterns.has_value() ||Shivani Sharma . unresolved
could you also add a comment describing this change. Just want to make sure that an empty connection allowlist enforced list is still honored and all URLs are rejected.
Related details
Attention is currently required from:
- Alex Moshchuk
- Andrew Verge
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 3, 2026, 10:59:21 AM (yesterday) Apr 3
to Xiaochen Zhou, Yoshisato Yanagisawa, Kenichi Ishibashi, David Baron, Shivani Sharma, Alex Moshchuk, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk and Xiaochen Zhou
Andrew Verge added 2 comments![]( "Open in Gerrit")
File services/network/network_context.cc
Can add a TODO(crbug.com/499191497) here
Andrew Verge
Done
could you also add a comment describing this change. Just want to make sure that an empty connection allowlist enforced list is still honored and all URLs are rejected.
Attention is currently required from:
- Alex Moshchuk
- Xiaochen Zhou
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Verge (Gerrit)
Apr 3, 2026, 11:00:34 AM (yesterday) Apr 3
to Xiaochen Zhou, Yoshisato Yanagisawa, Kenichi Ishibashi, David Baron, Shivani Sharma, Alex Moshchuk, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Attention needed from Alex Moshchuk and Xiaochen Zhou
Andrew Verge voted Commit-Queue+2![]( "Open in Gerrit")
| Commit-Queue | +2 |
Chromium LUCI CQ (Gerrit)
Apr 3, 2026, 12:20:30 PM (yesterday) Apr 3
to Andrew Verge, Xiaochen Zhou, Yoshisato Yanagisawa, Kenichi Ishibashi, David Baron, Shivani Sharma, Alex Moshchuk, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Chromium LUCI CQ submitted the change with unreviewed changes![]( "Open in Gerrit")
Unreviewed changes
15 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: services/network/network_context.cc
Insertions: 6, Deletions: 1.
@@ -3778,7 +3778,7 @@
// be for a fenced frame. Given that there were no fenced frames exemptions
// detected above, we can just return false here. The fenced frame portion of
// this function is slated for removal, so this will be cleaned up within
- // 1-2 milestones.
+ // 1-2 milestones. TODO(crbug.com/499191497): Remove this check.
if (!restriction.enforced_allowlisted_patterns.has_value() &&
!restriction.report_only_allowlisted_patterns.has_value()) {
return false;
@@ -3799,6 +3799,11 @@
}
auto url_matches_patterns = [&url](auto& patterns) {
+ // If a Connection-Allowlist(-Report-Only) header was not provided, this
+ // optional will not have a value, so we don't need to examine it. If the
+ // header is provided but the list of patterns is empty, we will execute
+ // the second half of this statement, which will fail to find a pattern
+ // match.
return !patterns.has_value() ||
std::ranges::any_of(
*patterns,
```
Change information
Commit message:
[Connection-Allowlist] Set up Origin Trial for workers.
In order for the Connection-Allowlist origin trial to proceed, we need
to ensure that worker content is also aware of the OT token. We also
need the kConnectionAllowlists flag to be enabled by default, so that
the OT token and override are governing whether Connection-Allowlist
is enabled or not.
1. The OT token checks have been added to the
NetworkRestrictionsWorkerThrottle and worker script fetcher.
2. Refactoring: move the connection allowlists existence check and
token validation to two functions in connection_allowlist_gating.h/cc
I have tests for the following cases:
* Worker script fetch respects the document's connection allowlist
* Worker subresource fetch respects the main script fetcher's connection allowlist (when inheriting the allowlist via a local scheme).
I still need to add tests for:
* Worker script fetch returns its own Connection-Allowlist, and subresource requests respect that.
These tests are in a wpt_internal virtual suite because they require
special setup for our slightly-non-standard OT implementation. Given the
size of this CL, might make sense to split the other test cases into a
separate CL. This CL adds 2 virtual tests in total.
Bug: 447954811
Change-Id: I3fd9bcb52cbeb48b79650311e0af8a78d62bff79
Reviewed-by: Yoshisato Yanagisawa <yyana...@chromium.org>
Reviewed-by: Kenichi Ishibashi <ba...@chromium.org>
Reviewed-by: Shivani Sharma <shiva...@chromium.org>
Commit-Queue: Andrew Verge <ave...@chromium.org>
Reviewed-by: David Baron <dba...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1609818}
Files:
- M content/browser/BUILD.gn
- A content/browser/connection_allowlist_gating.cc
- A content/browser/connection_allowlist_gating.h
- M content/browser/renderer_host/navigation_request.cc
- M content/browser/worker_host/network_restrictions_worker_throttle.cc
- M content/browser/worker_host/worker_script_fetcher.cc
- M services/network/network_context.cc
- M services/network/public/cpp/features.cc
- M third_party/blink/web_tests/VirtualTestSuites
- A third_party/blink/web_tests/virtual/connection-allowlist-origin-trial/README.md
- M third_party/blink/web_tests/virtual/connection-allowlist/README.md
- A third_party/blink/web_tests/wpt_internal/connection-allowlist/resources/dedicated-worker-test.js
- A third_party/blink/web_tests/wpt_internal/connection-allowlist/resources/origin-trial-token.txt
- A third_party/blink/web_tests/wpt_internal/connection-allowlist/resources/worker-fetch-script.js
- A third_party/blink/web_tests/wpt_internal/connection-allowlist/worker-origin-trial-disabled.sub.https.window.js
- A third_party/blink/web_tests/wpt_internal/connection-allowlist/worker-origin-trial-disabled.sub.https.window.js.headers
- A third_party/blink/web_tests/wpt_internal/connection-allowlist/worker-origin-trial-enabled.sub.https.window.js
- A third_party/blink/web_tests/wpt_internal/connection-allowlist/worker-origin-trial-enabled.sub.https.window.js.headers
Change size: L
Delta: 18 files changed, 346 insertions(+), 53 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Shivani Sharma, +1 by David Baron, +1 by Yoshisato Yanagisawa, +1 by Kenichi Ishibashi
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
luci-bisection@appspot.gserviceaccount.com (Gerrit)
Apr 3, 2026, 3:21:44 PM (yesterday) Apr 3
to Andrew Verge, Chromium LUCI CQ, Xiaochen Zhou, Yoshisato Yanagisawa, Kenichi Ishibashi, David Baron, Shivani Sharma, Alex Moshchuk, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
Message from luci-bi...@appspot.gserviceaccount.com![]( "Open in Gerrit")
LUCI Bisection has identified this change as the cause of a test failure. See the analysis: https://ci.chromium.org/ui/p/chromium/bisection/test-analysis/b/5599109869207552
Sample build with failed test: https://ci.chromium.org/b/8685525927317376705
Affected test(s):
[://\:blink_web_tests!webtest::http/tests/inspector-protocol/fetch#request-url-cross-origin.js](https://ci.chromium.org/ui/test/chromium/:%2F%2F%5C:blink_web_tests%21webtest::http%2Ftests%2Finspector-protocol%2Ffetch%23request-url-cross-origin.js?q=VHash%3Afe35cfb6dbc13663)
[://\:blink_wpt_tests!webtest::wpt_internal/speculation-rules/prefetch/no-vary-search#prefetch-single-non-immediate-with-hint.https.html?2-2](https://ci.chromium.org/ui/test/chromium/:%2F%2F%5C:blink_wpt_tests%21webtest::wpt_internal%2Fspeculation-rules%2Fprefetch%2Fno-vary-search%23prefetch-single-non-immediate-with-hint.https.html%3F2-2?q=VHash%3A6201ddcf3914f436)
A revert for this change was not created because the builder that this CL broke is not watched by gardeners, therefore less important. You can consider revert this CL, fix forward or let builder owners resolve it themselves.
If this is a false positive, please report it at http://b.corp.google.com/createIssue?component=1199205&description=Analysis%3A+https%3A%2F%2Fci.chromium.org%2Fui%2Fp%2Fchromium%2Fbisection%2Ftest-analysis%2Fb%2F5599109869207552&format=PLAIN&priority=P3&title=Wrongly+blamed+https%3A%2F%2Fchromium-review.googlesource.com%2Fc%2Fchromium%2Fsrc%2F%2B%2F7688831&type=BUG
Related details
Attention set is empty
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
luci-bisection@appspot.gserviceaccount.com (Gerrit)
Apr 3, 2026, 3:39:02 PM (yesterday) Apr 3
to Andrew Verge, Chromium LUCI CQ, Xiaochen Zhou, Yoshisato Yanagisawa, Kenichi Ishibashi, David Baron, Shivani Sharma, Alex Moshchuk, AyeAye, chromium...@chromium.org, blink-...@chromium.org, alexmo...@chromium.org, blink-work...@chromium.org, creis...@chromium.org, fenced-fra...@chromium.org, kinuko...@chromium.org, navigation...@chromium.org, network-ser...@chromium.org
luci-bi...@appspot.gserviceaccount.com has created a revert of this change![]( "Open in Gerrit")
Related details
Attention set is empty
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages