Claude in Chrome extension blocks legitimate dev subdomain (app-dev.nomercy.tv)

Resolved 💬 3 comments Opened Apr 3, 2026 by StoneyEagle Closed Apr 6, 2026

Bug Report: Chrome Extension Domain Classification Blocks Legitimate Dev Subdomain

Problem

The Claude in Chrome extension (v1.0.66) blocks all interaction with app-dev.nomercy.tv while allowing app.nomercy.tv. Both are subdomains of the same domain (nomercy.tv) pointing to the same application — one is production, one is development.

Every tool call (screenshot, javascript_tool, read_page, navigate, find, etc.) returns:

"This site is blocked by your organization's policy."

Root Cause

The extension calls https://api.anthropic.com/api/web/domain_info/browser_extension?domain=<domain> to classify URLs. The API response for app-dev.nomercy.tv returns a blocking classification (category_org_blocked or category1/category2), while app.nomercy.tv and nomercy.tv pass fine.

The blocking logic in mcpPermissions-qqAoJjJ8.js:

static async getCategory(e) {
  if (await $.isUrlBlockedByManagedPolicy(e)) return "category_org_blocked";
  // ...fetches from API...
}

static getEffectiveCategory(e) {
  return "block" === e.org_policy ? "category_org_blocked" : e.category;
}

There are no managed policies set (registry is empty, managed extension storage is empty). The block comes entirely from the server-side API classification.

Impact

  • Cannot use Claude in Chrome to test/validate changes on development environments
  • The -dev subdomain pattern is extremely common for web development
  • Forces developers to deploy to production before they can validate with Claude
  • No user-configurable allowlist exists to override the API classification

Steps to Reproduce

  1. Install Claude in Chrome extension (v1.0.66)
  2. Ensure extension has "All sites" permission
  3. Navigate to any *-dev.nomercy.tv URL
  4. Attempt any MCP tool call (screenshot, javascript_tool, etc.)
  5. Observe: "This site is blocked by your organization's policy."
  6. Navigate to app.nomercy.tv (same app, production domain)
  7. Observe: all tools work correctly

Expected Behavior

Subdomains of the same root domain should receive the same classification, or developers should have a local allowlist to override server-side classifications for their own domains.

Environment

  • Chrome Extension: Claude in Chrome v1.0.66
  • Extension ID: fcoeoabgfenejglbffodgkkbkcdhcgfn
  • OS: Windows 10 Pro
  • Chrome Profile: Profile 1

Suggestion

Consider one or more of:

  1. Allow subdomain inheritance — if nomercy.tv and app.nomercy.tv are allowed, app-dev.nomercy.tv should be too
  2. User-configurable allowlist — the managed_schema.json already defines blockedUrlPatterns, add an allowedUrlPatterns counterpart
  3. Improve classifier — common dev subdomain patterns (*-dev.*, *-staging.*, dev.*, staging.*) of allowed domains should not be blocked

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗