[DOCS] Settings and sandbox docs missing `sandbox.network.deniedDomains` configuration
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/settings
Section/Topic
Sandbox settings (network.allowedDomains / network.allowManagedDomainsOnly)
Current Documentation
The settings page documents the allowlist settings, but not the denylist setting added in v2.1.113:
|network.allowedDomains| Array of domains to allow for outbound network traffic. Supports wildcards (e.g.,*.example.com). |["github.com", "*.npmjs.org"]| |network.allowManagedDomainsOnly| (Managed settings only) OnlyallowedDomainsandWebFetch(domain:...)allow rules from managed settings are respected. Domains from user, project, and local settings are ignored. Non-allowed domains are blocked automatically without prompting the user. Denied domains are still respected from all sources. Default: false |true|
Related pages also refer to the allowlist without documenting the denylist setting itself:
Network restrictions combine WebFetch permission rules with the sandbox's allowedDomains list
|sandbox.network.allowManagedDomainsOnly| Whentrue, onlyallowedDomainsandWebFetch(domain:...)allow rules from managed settings are respected. Non-allowed domains are blocked automatically without prompting the user. Denied domains still merge from all sources |
Domain restrictions: Only approved domains can be accessed User confirmation: New domain requests trigger permission prompts (unless allowManagedDomainsOnly is enabled, which blocks non-allowed domains automatically)
What's Wrong or Missing?
Changelog v2.1.113 added sandbox.network.deniedDomains to block specific domains even when a broader allowedDomains wildcard would otherwise allow them. The current docs mention that denied domains exist, but they do not document:
- the setting name users need to configure
- the expected syntax
- how deny rules interact with
allowedDomains - an example where a specific denied domain overrides a broader wildcard allow rule
Suggested Improvement
Add network.deniedDomains to the sandbox settings reference and cross-reference it from the permissions and sandboxing pages.
Suggested coverage:
- document the setting name and where it belongs in the JSON structure
- explain that matching deny entries override broader
allowedDomainsmatches - clarify whether the same wildcard syntax is supported for deny entries
- add an example such as:
{
"sandbox": {
"network": {
"allowedDomains": ["*.example.com"],
"deniedDomains": ["admin.example.com"]
}
}
}
If this property is also available through the Agent SDK sandbox config, update that reference page as well so the type definition and property table stay aligned with the settings docs.
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/settings | Sandbox settings table documents network.allowedDomains but not the new denylist setting |
| https://code.claude.com/docs/en/permissions | Explains that denied domains merge from all sources, but does not document the setting that defines them |
| https://code.claude.com/docs/en/sandboxing | Describes domain restrictions at a high level without the deniedDomains configuration |
| https://code.claude.com/docs/en/agent-sdk/typescript | SandboxNetworkConfig lists allowedDomains and allowManagedDomainsOnly but not the denylist property |
Total scope: 4 pages affected
Source: Changelog v2.1.113
Exact changelog entry:
Addedsandbox.network.deniedDomainssetting to block specific domains even when a broaderallowedDomainswildcard would otherwise permit them
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗