[BUG] Cowork macOS: MITM egress proxy blocks all non-API domains regardless of allowlist settings

Open 💬 10 comments Opened Mar 4, 2026 by gethooo

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Cowork's MITM egress proxy blocks all non-API domains regardless of the network egress allowlist configuration. The VM itself boots and connects successfully — the API is reachable — but all other web requests (WebSearch, WebFetch, curl) are rejected by the proxy with blocked-by-allowlist.

This is not a network/connectivity issue. The VM has full network access to Anthropic's API. The proxy is selectively blocking everything else, and no combination of allowlist settings changes this behaviour.

Environment

  • Claude Desktop 1.1.4328 (d8e391) 2026-02-25T17:04:36.000Z
  • macOS (Apple Silicon)
  • Pro plan
  • No VPN, no third-party firewall, no network extensions

What Should Happen?

Domains added to the egress allowlist (or "All domains") should be permitted through the MITM proxy. WebSearch and WebFetch tools should work in Cowork.

Error Messages/Logs

### Error Messages/Logs

From `cowork_vm_node.log` — VM boots and connects fine:

2026-02-26 22:07:21 [info] [VM] Network status: CONNECTED
2026-02-26 22:07:22 [info] [VM] API reachability: REACHABLE
2026-02-26 22:07:22 [info] [VM:start] Startup complete, total time: 5444ms


The spawn config shows `allowedDomains=23`, which does not correspond to any setting I have configured.

From Cowork session, when asked to reach google.com:
> "No luck — google.com is blocked by the network egress proxy. So internet access isn't available right now."

Steps to Reproduce

Steps to Reproduce

  1. Open Claude Desktop Settings → Capabilities
  2. Enable "Allow network egress"
  3. Set domain allowlist to "All domains" (or any custom domain list)
  4. Quit Claude Desktop (Cmd+Q), reopen
  5. Open a new Cowork session
  6. Ask Cowork to search the web or fetch any non-Anthropic URL
  7. All requests fail — blocked by egress proxy

Troubleshooting Already Performed

  • Tried "All domains" — blocked
  • Tried "Package managers only" + manually adding google.com — blocked
  • Deleted ~/Library/Application Support/Claude/vm_bundles/, let VM rebuild from scratch — blocked
  • Full quit and reopen between every settings change — blocked
  • Verified no VPN, no network extensions (System Settings → Login Items & Extensions → Network Extensions is empty)
  • macOS firewall is off
  • Confirmed egress settings are not stored in claude_desktop_config.json or config.json on disk — they appear to be server-side or JWT-embedded, which may explain why local changes have no effect

Related Issues

  • #30112 — identical symptoms, marked invalid and duplicate-chained to #11897 which is a different platform (web sandbox, not Cowork desktop VM)
  • #21706 — "All domains" sets a * pattern that the app's own validation rejects
  • #18854 — MITM proxy blocking api.anthropic.com (same proxy, different domain)
  • #19087 — additional allowed domains not included in JWT allowlist

The common thread across all of these is that the MITM proxy inside the Cowork VM does not respect the allowlist configuration set in the UI. #30112 was closed as invalid ("not related to Claude Code") — but there is no other repo to file Cowork bugs against. If there is a better channel, please redirect rather than close.

Claude Model

Sonnet (default)

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

Claude Desktop 1.1.4328 (Cowork)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

The allowedDomains=23 value in the spawn config is the key clue — the proxy is receiving a domain list, but either the list doesn't contain the right domains, or the proxy is ignoring it. The fact that this value doesn't change regardless of UI settings suggests the configuration pipeline from UI → server → JWT → VM proxy is broken somewhere upstream of the VM itself.

cowork_vm_node.log

View original on GitHub ↗

This issue has 10 comments on GitHub. Read the full discussion on GitHub ↗