[BUG] Sandbox allows a users permissions.allow for WebFetch to work for domains not in sandbox.network.allowedDomains
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
settings.permission.allow for WebFetch(domain:<domain>) will permit web fetch inside the sandbox. This is unexpected because allowedDomains in the sandbox _should_ be the mechanism to control it based on documentation. When you combine this with the ease of setting.local.json files having various permitted operations, it results in unexpected behavior. Further settings.permission.deny for WebFetch does not supersede this.
This means, you can not have a sandbox with more restrictive web permissions than an unsandboxed environment in the same claude workspace - which is unexpected.
What Should Happen?
While the allowedDomains should be additive with other settings files, they should be of a different kind than permissions.allow WebFetch(domain:...). Without this, things that you might allow outside of the sandbox are now permitted inside the sandbox, which makes the sandbox less effective for workflows that require more restrictions.
Error Messages/Logs
Steps to Reproduce
- Create a settings file to use when starting Claude. Have this contain some sandbox specific settings and start via
claude --settings. Make sure no other settings file that gets merged with this contains sandbox settings to isolate the test case.
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"allowUnsandboxedCommands": false,
"network": {
"allowedDomains": []
}
},
"permissions": {
"deny": ["WebFetch"]
}
}
- Have in another settings.json file
WebFetch(domain:<insertDomain>)
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"permissions": {
"allow": [
"WebFetch(domain:github.com)",
"WebFetch(domain:api.github.com)",
]
}
}
- Now run an operation that uses that domain. In this example, you could use the
ghcli for example.
Observe, the settings.permission.allow permit the request through.
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.69
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗