Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Subject: Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)
I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.
This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.
Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.
Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.
What Should Happen?
Subject: Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)
I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.
This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.
Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.
Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.
Error Messages/Logs
Subject: Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)
I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.
This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.
Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.
Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.
Steps to Reproduce
I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.
This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.
Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.
Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
Opus 4.8
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗