[BUG] Claude in Chrome MCP tools: "Navigation to this domain is not allowed" on all domains (v1.0.66)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
MCP tools provided by the Claude in Chrome extension (v1.0.66) return "Navigation to this domain is not allowed" on every domain — including Google Sheets, GitHub, Wikipedia, and even example.com. The extension's built-in chat feature works fine on all these domains.
Environment
- Extension version: 1.0.66
- Chrome: macOS (Darwin 25.4.0)
- Claude Code: CLI, Opus 4.6 (1M context)
Steps to Reproduce
- Open Claude Code CLI
- Use
tabs_context_mcpto get the tab group — succeeds - Use
tabs_create_mcpto create a new tab — succeeds - Use
navigateto go to any URL — fails with "Navigation to this domain is not allowed"
Domains Tested (all fail)
https://docs.google.com/spreadsheets/...(authenticated Google account)https://outlook.cloud.microsoft/...(authenticated Microsoft account)https://github.comhttps://wikipedia.orghttps://example.com
What Works
tabs_context_mcp— returns tab group and tab IDstabs_create_mcp— creates new tabs- The extension's chat feature (not MCP) — can interact with Google Sheets, Outlook, and other domains without issue
What Doesn't Work
Any MCP tool that touches a domain:
navigate— "Navigation to this domain is not allowed"screenshot,read_page,find,click,javascript_tool— all return "Permission denied for this action on this domain" when tried on a page the user navigated to manually
Expected Behavior
MCP tools should be able to navigate to and interact with domains that the user has access to, consistent with the extension's chat feature behavior.
Workaround
Using AppleScript (osascript) to execute JavaScript in Chrome and System Events for keyboard input bypasses the extension entirely and works on all domains.
What Should Happen?
MCP tools (navigate, screenshot, read_page, click, find, javascript_tool) should be able to interact with domains the user has access to — consistent with how the extension's built-in chat feature behaves. Currently, the chat feature can interact with Google Sheets, Outlook, GitHub, etc. without issue, but all MCP tools fail on every domain with "Navigation to this domain is not allowed" or "Permission denied for this action on this domain."
Error Messages/Logs
Tool: navigate
URL: https://docs.google.com/spreadsheets/d/...
Error: "Navigation to this domain is not allowed"
Tool: navigate
URL: https://github.com
Error: "Navigation to this domain is not allowed"
Tool: navigate
URL: https://wikipedia.org
Error: "Navigation to this domain is not allowed"
Tool: navigate
URL: https://example.com
Error: "Navigation to this domain is not allowed"
Tools: screenshot, read_page, find, click, javascript_tool
(on pages user navigated to manually)
Error: "Permission denied for this action on this domain"
Tools that DO work:
- tabs_context_mcp — returns tab group and tab IDs
- tabs_create_mcp — creates new tabs
Steps to Reproduce
- Open Claude Code CLI
- Use
tabs_context_mcpto get the tab group — succeeds - Use
tabs_create_mcpto create a new tab — succeeds - Use
navigateto go to any URL — fails with "Navigation to this domain is not allowed"
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.87
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
I don't have a record of the latest version that was able to run without this bug, I had cleared the chat before this started happening.
17 Comments
Experiencing a related issue on macOS (Darwin 23.6.0) with v1.0.66.
The extension does prompt for site approval on the first domain in a session, and that domain works fine. However, when attempting to navigate to or interact with any additional domain in the same session, it returns "Navigation to this domain is not allowed" / "Permission denied for reading pages on this domain" — without ever showing an approval prompt for the second domain.
The approved sites settings page shows previously approved domains but provides no way to manually add new ones. The only workaround is starting a new session for each domain.
So it seems like the approval flow is limited to one domain per session rather than being completely broken — subsequent domains are silently denied without prompting.
I have the same issue any possible solution?
In PermissionManager-WI3FAKQw.js, the checkPermission method has:
if(r && this.turnApprovedDomains.size > 0 && !this.isTurnApprovedDomain(r)) return {allowed: false, needsPrompt: false}. Once any domain is turn-approved, all other domains are hard-blocked withneedsPrompt: false, so the user never gets prompted to approve them.Workaround found (Cowork mode): In the Cowork chat's approval settings, change from "Ask for approval" (default, Spanish UI: "pide aprobación") to "Request approvals" (Spanish UI: "solicitar aprobaciones"). After toggling this,
navigate/read_page/form_input/computerall started working immediately in the same session.This aligns with @zoyth's finding about
PermissionManager-*.jsturnApprovedDomainssticky state — the default setting seems to lock the turn-approval state and never clear it, while the alternative path clears/bypasses it.Request to Anthropic: (1) make "Request approvals" the default, or (2) document this toggle prominently in the Claude in Chrome troubleshooting guide. Currently the failure mode is silent (
Permission denied by userwith no prompt shown), which trains users to believe they're misconfiguring something when they aren't.Environment: macOS, Chrome latest, Claude Desktop (Cowork mode), Claude in Chrome extension fcoeoabgfenejglbffodgkkbkcdhcgfn.
Workaround found (Cowork mode): In the Cowork chat's approval settings, change from "Ask for approval" (default, Spanish UI: "pide aprobación") to "Request approvals" (Spanish UI: "solicitar aprobaciones"). After toggling this,
navigate/read_page/form_input/computerall started working immediately in the same session.This aligns with @zoyth's finding about
PermissionManager-*.jsturnApprovedDomainssticky state — the default setting seems to lock the turn-approval state and never clear it, while the alternative path clears/bypasses it.Request to Anthropic: (1) make "Request approvals" the default, or (2) document this toggle prominently in the Claude in Chrome troubleshooting guide. Currently the failure mode is silent (
Permission denied by userwith no prompt shown), which trains users to believe they're misconfiguring something when they aren't.Environment: macOS, Chrome latest, Claude Desktop (Cowork mode), Claude in Chrome extension fcoeoabgfenejglbffodgkkbkcdhcgfn.
Still reproducing on Windows with the latest
claude-codeCLI and extension v1.0.68. The resolution @dmarketingllm mentioned likely applies to Cowork only.Building on @zoyth's finding: the early-exit triggers because the CLI path sends
permissionMode: "follow_a_plan"to the extension, which populatesturnApprovedDomainsand never clears it. A quick look at the bundle showsmcpPermissions-*.jshassetTurnApprovedDomainscalls but lacks anyclearTurnApprovedDomainslogic. Conversely,sidepanel-*.jshas several clears. This explains why @teiguell's Cowork UI toggle resolves the issue there but does nothing for the CLI path.Normal approval flow comes back if the early-exit @zoyth quoted is bypassed, since
checkPermissionthen falls through toneedsPrompt: true. A proper upstream fix would be great, such as defaulting the CLI to "ask" mode or mirroring the sidepanel's state-clearing logic in the MCP path.I was wrong. 'Navigate' is working for me in Claude Code. read_page, javascript_tool, and find are still all blocked immediately.
Still an issue. Blocks so many use cases - how is this not fixed already?
<img width="904" height="383" alt="Image" src="https://github.com/user-attachments/assets/0c0d57b9-520b-4b76-983d-97e47214251f" />
Same issue
Still experiencing this on macOS with Claude Code CLI. The single-domain-per-session lock is blocking multi-domain workflows — in my case, I need to interact with both a production WordPress site and its dev environment (different subdomain) in the same session, and only the first domain works. The second domain is silently denied without any approval prompt.
I am wondering exactly the same. I had a scheduled task verifying some listings on a few websites, and it was running for a couple of weeks perfectly, but now its been almost a month that it has been failing, saying that I have blocked that website and need to approve it.
But like you all say, it makes absolutely no sense, I am not blocking anything, and there is no way to approve it. I am also baffled how this is not yet fixed, aka a BLOCKING HOTFIX, there are no "workarounds"...
Still reproducing as of 2026-05-29 — Claude in Chrome extension, Claude Code CLI (Opus 4.8), macOS.
Ran a clean multi-domain repro in a fresh MCP session (single tab group), testing each tool individually so silent denials couldn't hide behind a batch error:
First domain (example.com) — everything works:
navigate, get_page_text, read_page, find, javascript_tool — all ✅
Any second domain in the same session — hard-blocked:
navigate → en.wikipedia.org → Navigation to this domain is not allowed
navigate → github.com → same
navigate → iana.org → same
No approval prompt is ever shown for the second domain.
Opening a brand-new tab in the same group and navigating it to the second domain fails identically → the lock is session-wide, not per-tab.
Tools on the first domain keep working fine throughout, so the session itself is healthy — it's locked to whichever domain got approved first.
This lines up with @zoyth turnApprovedDomains sticky-state finding and @chiptuned note that the CLI path populates turnApprovedDomains but has no clearTurnApprovedDomains logic.
One change from my earlier comment ("navigate works, read_page/find/javascript blocked"): the surface has shifted — navigate itself is now the thing hard-blocked on any domain past the first. Same root cause, different symptom. Still no in-session workaround on the CLI path.
Source-level root cause (verified from the extension bundle on Windows)
I de-minified the shipped extension (
fcoeoabgfenejglbffodgkkbkcdhcgfn, v1.0.75; same in the v1.0.74 mirror) and the "Navigation to this domain is not allowed" deny comes from an exclusive per-turn allowlist, not from the category blocklist and not from any Chrome host-permission check.PermissionManager.checkPermission()(PermissionManager-BBDx9xIl.js), seeded bymcpPermissions-8PlHLvdl.js:turnApprovedDomainsis populated only from the session plan'sallowedDomainsunderpermissionMode === "follow_a_plan". When it's non-empty, any host not on it is hard-denied with{ allowed:false, needsPrompt:false }— silent, no prompt, short-circuiting before the persisted store and the prompt fallback. Crucially, the gate never callschrome.permissions.contains()and so never consults the<all_urls>grant that "On all sites" controls — which is exactly why "On all sites" does nothing here. (chrome.permissions.contains({origins:['https://example.com/*']})returnstrue, but the extension never asks.)Negative control (proves the gate, not the domain): in a separate ad-hoc session with no plan armed (empty
turnApprovedDomains),navigate()toexample.comandnorthcreekpethospital.comboth SUCCEEDED — the very domains that hard-denied while a one-site plan was active. Same "On all sites", same Chrome. This reconciles "one domain per session" as "only the plan-approved domains are navigable." It also rules out the category blocklist:example.comis benign and denied anyway. The same gate, re-evaluated against the new origin, is whyread_page/screenshotfail after awindow.locationworkaround lands you on an off-plan host (MV3 content-script/debugger detach is a plausible compounding factor, but the visible error is the permission check's own string).Highest-value fix: before the exclusive hard-deny, honor the live grant —
await chrome.permissions.contains({ origins: [new URL(target).origin + '/*'] })— and if it'strue, fall through to ALLOW (or to a prompt) instead of silently denying. Equivalently, expose a user-settable allowed-domains list so personal-account users can pre-approve multiple domains. (Files:PermissionManager-BBDx9xIl.js/mcpPermissions-8PlHLvdl.js; v1.0.74 mirrorPermissionManager-uCwrpbh7.js/mcpPermissions-O6s_WAiZ.js. Env: Windows, v1.0.75, site access "On all sites".)Environment: Claude Code (Desktop app, Windows), model Opus 4.8, Claude in Chrome extension. Single local browser connection.
Repro (internal hosts replaced with placeholders — the relevant point is they're sibling subdomains of one parent domain):
mcp__Claude_in_Chrome__navigate → https://app.dev.example-corp.com/ → ✅ works (and every tool works on it: get_page_text, read_page, find, javascript_tool, screenshot)
navigate → https://app.stage.example-corp.com/ (sibling subdomain, same parent) → ❌ "Navigation to this domain is not allowed"
navigate → https://example.com/ → ❌ same error
No approval prompt ever appears for the blocked domains.
How this differs from the existing reports in this thread:
It is not "first domain in a fresh session wins." In a freshly reconnected session, navigating to the blocked subdomain first still fails, while the permitted subdomain works even when attempted after the failed one — so a specific domain is permitted and others aren't, order-independent.
Reproduced across three escalating resets, each confirmed as a brand-new connection (the connectedAt from list_connected_browsers changed every time):
Desktop app — disconnect → reconnect the Chrome connection
Chrome — toggle the extension off → on
Full machine reboot
In all three, the permitted subdomain works and the sibling/other domains fail identically.
The Claude sidebar / Cowork session (same browser, same machine) reaches the blocked domains fine — only the Claude Code MCP connection is restricted.
Net: on this Desktop-app setup there's no in-reach workaround — a given connection appears permanently scoped to one subdomain and won't admit siblings, surviving reconnect, extension toggle, and reboot.
Still reproducing on Claude desktop app (macOS), Claude in Chrome (Beta).
Settings → Claude in Chrome → "Default for all sites: Allow extension", Blocked sites: none.
mcp navigate to my own app domain (app.ppcoptimizerai.com) returns
"Navigation to this domain is not allowed" — every time, even in a freshly created MCP tab.
Reinstall / settings do not fix it. Only a full Cmd+Q restart of the desktop app
temporarily clears it for the first navigation. Please prioritize — this blocks
all browser-verification workflows.
Still reproducing on 2026-06-23, Windows — Claude in Chrome extension v1.0.77, Claude Code CLI 2.1.187.
It's now two releases (v1.0.76, v1.0.77) since I posted the source-level root cause in this comment: de-minifying the shipped bundle showed the deny comes from an exclusive per-turn allowlist in the permission check. That logic appears unchanged in v1.0.77 — same single-origin lock, same
needsPrompt: falsehard-deny for every domain after the first.Today's repro signature (fresh MCP session, Windows):
wta.org) → succeeds; repeat navigations within it keep working.Navigation to this domain is not allowed:example.com,google.com,parks.wa.gov,rei.com,wikipedia.org,alltrails.com,recreation.gov.example.com,google.com) are blocked too.Net effect: the browser MCP is unusable for any multi-site workflow. The mechanism is known and documented in this thread at the code level (independently confirmed by @zoyth and @chiptuned), and it's still shipping. This has been open since April 3 — can it get prioritized?
Confirmed workaround (Windows 11, desktop app, extension current as of 2026-07-09):
Consistent with the de-minified analysis above (exclusive per-turn allowlist), the behavior we measured is: whichever domain the session touches first becomes the only allowed domain — every later domain is hard-denied with no approval prompt.
So the workaround is simply: make your target site the very first navigation of a fresh session.
Evidence from one machine, same Chrome profile, same MCP tools:
navigate=example.com→ afterwardsx.com/mail.google.comare denied forever ("Navigation to this domain is not allowed", no prompt).navigate=x.com→ works fully (navigate, screenshot, javascript_tool on a logged-in session).x.comhave always worked — which had made the failures look session-type-specific until we traced it to first-domain locking.Limitation: one domain per session — multi-domain workflows still need the CLI or separate sessions. Hope this helps others until the
turnApprovedDomainsclearing logic gets fixed.