Allow-list
RTO only controls hosts that the user explicitly allowed.
Docs updated: 2025-12-17
Why this exists
The allow-list is the core safety boundary: it prevents automations from running on unknown sites.
Allow-list API
Load RTO_domainList.js and use the global RTOAllowlist object:
RTOAllowlist.list()→ Promise<array>RTOAllowlist.has(host)→ Promise<boolean>RTOAllowlist.add(host)→ Promise<boolean>RTOAllowlist.remove(host)→ Promise<boolean>
<script src="../RTO_helpers/RTO_domainList.js"></script>
<script>
(async function(){
const host = "example.com";
// List allow-listed hosts
const list = await RTOAllowlist.list();
console.log("allow-list:", list);
// Check one host
const allowed = await RTOAllowlist.has(host);
console.log(host, "allowed?", allowed);
// Add + remove
await RTOAllowlist.add(host);
await RTOAllowlist.remove(host);
})();
</script>
UI helper (buttons)
If you prefer a ready-to-use UI wiring, use RTO_addRemoveDomain.js. It binds your buttons and renders the list.
<!-- Markup -->
<input id="hostInput" value="example.com" />
<button id="btnAdd">Add</button>
<button id="btnCheck">Check</button>
<button id="btnRemove">Remove</button>
<div id="msg" style="display:none"></div>
<div id="listWrap" style="display:none">
<h3>Allow-list</h3>
<ul id="list"></ul>
</div>
<script src="../RTO_helpers/RTO_domainList.js"></script>
<script src="../RTO_helpers/RTO_addRemoveDomain.js"></script>
<script>
RTOAllowlistUI.bind({
host: document.getElementById("hostInput").value,
addBtn: "#btnAdd",
checkBtn: "#btnCheck",
removeBtn: "#btnRemove",
msgEl: "#msg",
listWrap: "#listWrap",
listEl: "#list"
});
</script>
UX patterns (recommended)
- If an action fails with
DOMAIN_NOT_ALLOWED, show a small banner: “This site is not allowed” with a button “Allow this host”. - Never auto-allow silently. Let the user click.
- Prefer host-based rules for beginners (example:
example.com), not complex patterns.