Allow-list

RTO only controls hosts that the user explicitly allowed.
Docs updated: 2026-03-24
Why this exists
The allow-list is the core safety boundary: it prevents automations from running on unknown sites, and it is also what makes real cross-domain tab orchestration possible on hosts the user explicitly approved.

Allow-list API

Host format
Use hostname (no port): prefer location.hostname. location.host includes the port and will not match the stored allow-list.

Load RTO_form_api.js first, then RTO_domainList.js, and use the global RTOAllowlist object:

  • RTOAllowlist.list() → Promise<array>
  • RTOAllowlist.has(host) → Promise<boolean>
  • RTOAllowlist.add(host, timeoutMs?) → Promise<boolean>
  • RTOAllowlist.remove(host) → Promise<boolean>
How add works in 7.13.0
Page-side add requests now go through allowlistAddRequest. The confirmation is shown on the matching master tab, and the real allowlistAdd step stays internal to the plugin. On the helper side, repeated local Add clicks for the same host are also coalesced so the page does not send the same request twice while one is already pending.
Normalization
The helper normalizes hosts (lowercase, strips leading www., strips leading dot, strips *. wildcard prefix). Store rules like example.com (beginner-friendly) and avoid ports. 
<script src="../RTO_helpers/RTO_form_api.js"></script>
<script src="../RTO_helpers/RTO_domainList.js"></script>
<script>
(function(){
  var host = "example.com";

  // List allow-listed hosts
  RTOAllowlist.list().then(function(list){
    console.log("allow-list:", list);

    // Check one host
    return RTOAllowlist.has(host);
  }).then(function(allowed){
    console.log(host, "allowed?", allowed);

    // Ask for approval on the master tab, then remove
    console.log("Please confirm on the master tab if approval is needed.");
    return RTOAllowlist.add(host, 130000);
  }).then(function(ok){
    console.log("add ok?", ok);
    return RTOAllowlist.remove(host);
  }).then(function(ok){
    console.log("remove ok?", ok);
  })["catch"](function(e){
    console.warn("allow-list error", e);
  });
})();
</script>
<script src="../RTO_helpers/RTO_form_api.js"></script>
<script src="../RTO_helpers/RTO_domainList.js"></script>
<script>
(function(){
  var host = location.hostname; // NOT location.host

  RTOAllowlist.has(host).then(function(ok){
    console.log("current host allowed?", host, ok);
  });
})();
</script>

UI helper (buttons)

If you prefer a ready-to-use UI wiring, use RTO_addRemoveDomain.js. It binds your buttons and renders the list.

Important
The UI helper must read the host at click time (from the input), not from a one-time value captured on page load. It also disables repeated local Add sends while one approval request is already pending. 
<!-- Markup -->
<input id="hostInput" value="example.com" />
<button id="btnAdd">Add</button>
<button id="btnCheck">Check</button>
<button id="btnRemove">Remove</button>
<div id="msg" style="display:none"></div>

<div id="listWrap" style="display:none">
  <h3>Allow-list</h3>
  <ul id="list"></ul>
</div>

<script src="../RTO_helpers/RTO_form_api.js"></script>
<script src="../RTO_helpers/RTO_domainList.js"></script>
<script src="../RTO_helpers/RTO_addRemoveDomain.js"></script>
<script>
(function(){
  // Preferred: pass the input selector (UI helper reads it when needed)
  RTOAllowlistUI.bind({
    hostInput: "#hostInput",
    addBtn: "#btnAdd",
    checkBtn: "#btnCheck",
    removeBtn: "#btnRemove",
    msgEl: "#msg",
    listWrap: "#listWrap",
    listEl: "#list"
  });
})();
</script>

UX patterns (recommended)

When you explain RTO to users, be explicit: the plugin does not bypass browser security. It uses explicit extension permissions plus an allow-list so a local page can drive a real tab on another approved domain.

  • If an action fails with DOMAIN_NOT_ALLOWED, show a small banner: “This site is not allowed” with a button “Allow this host”.
  • Never auto-allow silently. Let the user click.
  • When the user clicks, explain that confirmation now appears on the master tab.
  • Treat USER_CANCELLED as a normal user choice, not as a broken plugin. Real system errors still surface with useful codes/messages.
  • Prefer host-based rules for beginners (example: example.com), not complex patterns.
  • When you need the current site: use location.hostname (not location.host).

Next