RTO_domainList.js

Helper file documentation for RTO_domainList.js.

Docs updated: 2026-03-24

Summary

Allow-list API wrapper (site-side helper).

Exports: window.RTOAllowlist
Depends on: RTO_form_api.js or the same page-side messaging bridge used by the site helpers.
Current add flow: add() first asks through allowlistAddRequest, then waits for the user confirmation on the master tab.
Current add behavior: repeated add(host) calls for the same normalized host share one pending promise on the page side.

What it is

RTO_domainList.js exposes a small allow-list API helper (list / has / add / remove) using the RTO messaging protocol.

In the current helper, add(host) keeps the page calm: a repeated click on the same host does not create a second local request while the first one is still waiting. A user cancellation resolves as false, while real plugin problems still reject with a useful code/message.

Deny-by-default

RTO can control tabs only for hosts explicitly present in the extension allow-list. If a target host is not allow-listed, actions may fail until the user adds the host. In 7.13.0, a page-side add request is visible to the user and must be confirmed on the master tab.

Download

Download RTO_domainList.js

Example

This example checks whether the current host is allowed, and if not, requests an add and waits for the real user approval.

<script src="../RTO_helpers/RTO_form_api.js"></script>
<script src="../RTO_helpers/RTO_domainList.js"></script>

<script>
(function(){
  var host = location.hostname;

  RTOForm.detect(1500).then(function(){
    return RTOAllowlist.has(host).then(function(ok){
      console.log("allowed?", ok, "host=", host);
      if (ok) return true;

      console.log("Please confirm the allow-list request on the master tab.");

      return RTOAllowlist.add(host, 130000).then(function(approved){
        if (!approved) {
          console.log("The request was cancelled or not approved.");
          return false;
        }
        return RTOAllowlist.has(host);
      });
    });
  }).then(function(finalOk){
    console.log("final allowed?", finalOk);
  }).catch(function(err){
    console.warn("Allow-list request failed:", (err && err.code) || err, (err && err.message) || "");
  });
})();
</script>

API

RTOAllowlist.list(timeoutMs?) → Promise<string[]> (normalized host list)
RTOAllowlist.has(host, timeoutMs?) → Promise<boolean>
RTOAllowlist.add(host, timeoutMs?) → Promise<boolean> after approval or rejection; returns false for USER_CANCELLED, rejects for real system/plugin errors
RTOAllowlist.remove(host, timeoutMs?) → Promise<boolean>
RTOAllowlist.cached() → { ts:number, items:string[] }
RTOAllowlist.hasCached(host) → boolean

Compatibility

In 7.13.0, the normal page-side path is allowlistAddRequest for add requests, plus allowlistList, allowlistCheck, and allowlistRemove.

This helper still keeps a small legacy fallback only if the modern add request does not answer. Direct page-side allowlistAdd is no longer the normal documented path.

Tip

What happens on repeated Add clicks?

If your page calls add(host) twice for the same normalized host while the first request is still pending, the helper reuses the same promise instead of sending a second identical page-side request.

host vs hostname

location.host includes the port (example.com:8080). For allow-list without port, prefer location.hostname (example.com).

Human-friendly timeout

add() uses a longer wait by default because it may take a user a moment to switch back to the master tab and confirm the request.

← RTO_visible_when_tab.js

RTO_addRemoveDomain.js →