[BUG] Sandbox allows a users permissions.allow for WebFetch to work for domains not in sandbox.network.allowedDomains

Resolved 💬 4 comments Opened Mar 6, 2026 by joes-lucid Closed Apr 4, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

settings.permission.allow for WebFetch(domain:<domain>) will permit web fetch inside the sandbox. This is unexpected because allowedDomains in the sandbox _should_ be the mechanism to control it based on documentation. When you combine this with the ease of setting.local.json files having various permitted operations, it results in unexpected behavior. Further settings.permission.deny for WebFetch does not supersede this.

This means, you can not have a sandbox with more restrictive web permissions than an unsandboxed environment in the same claude workspace - which is unexpected.

What Should Happen?

While the allowedDomains should be additive with other settings files, they should be of a different kind than permissions.allow WebFetch(domain:...). Without this, things that you might allow outside of the sandbox are now permitted inside the sandbox, which makes the sandbox less effective for workflows that require more restrictions.

Error Messages/Logs

Steps to Reproduce

  1. Create a settings file to use when starting Claude. Have this contain some sandbox specific settings and start via claude --settings. Make sure no other settings file that gets merged with this contains sandbox settings to isolate the test case.
{
    "$schema": "https://json.schemastore.org/claude-code-settings.json",
    "sandbox": {
        "enabled": true,
        "autoAllowBashIfSandboxed": true,
        "allowUnsandboxedCommands": false,
        "network": {
            "allowedDomains": []
        }
    },
    "permissions": {
        "deny": ["WebFetch"]
    }
}
  1. Have in another settings.json file WebFetch(domain:<insertDomain>)
{
    "$schema": "https://json.schemastore.org/claude-code-settings.json",
    "permissions": {
        "allow": [
            "WebFetch(domain:github.com)",
            "WebFetch(domain:api.github.com)",
        ]
    }
}
  1. Now run an operation that uses that domain. In this example, you could use the gh cli for example.

Observe, the settings.permission.allow permit the request through.

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.69

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗