Skip to content

Allowlist / Denylist

Fresh

Antigravity uses a two-layer security system to control which URLs the browser subagent can access.

Denylist (Server-Side)

  • Powered by Google Superroots BadUrlsChecker service
  • Runs server-side -- no local configuration needed
  • Denies by default if the service is unavailable

WARNING

The denylist always takes precedence over the allowlist. Even if you explicitly allowlist a URL, it will be blocked if it appears on Google's denylist.

Allowlist (Local)

  • Stored as a local text file
  • Initialized with localhost by default
  • Non-allowlisted URLs prompt an "always allow" button when accessed

Managing the Allowlist

ActionHow
Add a URLClick "always allow" when prompted, or manually add to the allowlist file
Remove a URLEdit the allowlist file directly

Security Precedence

URL requested
  --> Check Denylist (server-side)
    --> BLOCKED: URL is denied (no override possible)
    --> ALLOWED: Check Allowlist (local)
      --> ALLOWED: URL is on allowlist, proceed
      --> NOT LISTED: Prompt user with "always allow" option

TIP

For development, the default localhost allowlist is usually sufficient. Add your staging and production domains as needed.

SOP Documentation Site