Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)

Resolved 💬 2 comments Opened Jun 1, 2026 by Ray-B-Projects Closed Jun 5, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Subject: Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)

I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.

This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.

Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.

Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.

What Should Happen?

Subject: Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)

I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.

This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.

Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.

Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.

Error Messages/Logs

Subject: Claude in Chrome — turnApprovedDomains Gate 1 hard-denies all non-pre-approved domains, no approval prompt fires (v1.0.74, Windows 11)

I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.

This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.

Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.

Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.

Steps to Reproduce

I run a live SaaS (MyAdvisely) in production and use Claude in Chrome via MCP to drive operational tooling end-to-end. The agent can reach Supabase Studio fine, but navigate/read_page to dashboard.render.com and web.telegram.org fail instantly with "Navigation to this domain is not allowed" — and critically, no in-flow approval prompt ever appears in the sidepanel, so "Your approved sites" stays permanently empty and there's no way to grant access.

This matches the root cause in claude-code#50842: once turnApprovedDomains is non-empty, Gate 1 returns { allowed: false, needsPrompt: false } for any unlisted domain, short-circuiting the prompt fallback. Neither Render nor Telegram is in your documented blocked categories (financial/adult/crypto/pirated), so this is the regression, not an intended category deny.

Impact on real ops work: an operator running production infrastructure needs the agent to reach cloud dashboards (Render) and messaging surfaces (Telegram Web) to verify deploys and bot behaviour. A permission gate that hard-denies with no path to approve — not even an in-flow prompt — breaks agentic workflows on exactly the legitimate operational tools the product is meant to enable. The "approve in-flow" design is sound; the bug is that the prompt never fires once any domain is pre-approved.

Ask: (1) fix Gate 1 so non-pre-approved domains fall through to the approval prompt instead of hard-denying; (2) in the interim, expose a manual "Add approved site" control on the extension's Permissions page so users can seed the allow-list without depending on the prompt. Version: extension v1.0.74 (beta), Windows 11.

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

Opus 4.8

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗