Claude in Chrome extension blocks legitimate dev subdomain (app-dev.nomercy.tv)
Bug Report: Chrome Extension Domain Classification Blocks Legitimate Dev Subdomain
Problem
The Claude in Chrome extension (v1.0.66) blocks all interaction with app-dev.nomercy.tv while allowing app.nomercy.tv. Both are subdomains of the same domain (nomercy.tv) pointing to the same application — one is production, one is development.
Every tool call (screenshot, javascript_tool, read_page, navigate, find, etc.) returns:
"This site is blocked by your organization's policy."
Root Cause
The extension calls https://api.anthropic.com/api/web/domain_info/browser_extension?domain=<domain> to classify URLs. The API response for app-dev.nomercy.tv returns a blocking classification (category_org_blocked or category1/category2), while app.nomercy.tv and nomercy.tv pass fine.
The blocking logic in mcpPermissions-qqAoJjJ8.js:
static async getCategory(e) {
if (await $.isUrlBlockedByManagedPolicy(e)) return "category_org_blocked";
// ...fetches from API...
}
static getEffectiveCategory(e) {
return "block" === e.org_policy ? "category_org_blocked" : e.category;
}
There are no managed policies set (registry is empty, managed extension storage is empty). The block comes entirely from the server-side API classification.
Impact
- Cannot use Claude in Chrome to test/validate changes on development environments
- The
-devsubdomain pattern is extremely common for web development - Forces developers to deploy to production before they can validate with Claude
- No user-configurable allowlist exists to override the API classification
Steps to Reproduce
- Install Claude in Chrome extension (v1.0.66)
- Ensure extension has "All sites" permission
- Navigate to any
*-dev.nomercy.tvURL - Attempt any MCP tool call (screenshot, javascript_tool, etc.)
- Observe: "This site is blocked by your organization's policy."
- Navigate to
app.nomercy.tv(same app, production domain) - Observe: all tools work correctly
Expected Behavior
Subdomains of the same root domain should receive the same classification, or developers should have a local allowlist to override server-side classifications for their own domains.
Environment
- Chrome Extension: Claude in Chrome v1.0.66
- Extension ID:
fcoeoabgfenejglbffodgkkbkcdhcgfn - OS: Windows 10 Pro
- Chrome Profile: Profile 1
Suggestion
Consider one or more of:
- Allow subdomain inheritance — if
nomercy.tvandapp.nomercy.tvare allowed,app-dev.nomercy.tvshould be too - User-configurable allowlist — the
managed_schema.jsonalready definesblockedUrlPatterns, add anallowedUrlPatternscounterpart - Improve classifier — common dev subdomain patterns (
*-dev.*,*-staging.*,dev.*,staging.*) of allowed domains should not be blocked
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗