[BUG] sandbox.network.allowedDomains cannot allow localhost — NO_PROXY bypass prevents proxy routing to local services
Summary
When using the local Claude Code sandbox (Linux/bwrap), sandbox.network.allowedDomains: ["localhost", "127.0.0.1"] does not allow connections to locally-running services. The sandbox sets NO_PROXY=localhost,127.0.0.1,... at runtime, which causes HTTP clients (curl, Node.js fetch, etc.) to bypass the sandbox proxy and connect directly to localhost — but direct TCP connections fail in the sandbox's network namespace because host services are not visible there.
Environment
- Platform: Linux (VSCodium extension)
- Sandbox: enabled (bwrap)
Steps to Reproduce
- Run a local HTTP service on
localhost:PORT(e.g. a self-hosted Firecrawl instance on:3002) - Add to
~/.claude/settings.json:
``json``
{
"sandbox": {
"enabled": true,
"network": {
"allowLocalBinding": true,
"allowedDomains": ["localhost", "127.0.0.1"]
}
}
}
- From a Claude Code Bash tool call, attempt:
curl http://localhost:3002/...
Expected
Connection succeeds — allowedDomains should allow the sandbox proxy to forward traffic to localhost:PORT.
Actual
curl: (7) Failed to connect to localhost port 3002: Connection refused
Verbose output reveals the cause:
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,::1,...'
* Trying 127.0.0.1:3002...
* connect ECONNREFUSED 127.0.0.1:3002
The sandbox injects NO_PROXY=localhost,127.0.0.1,... at runtime, overriding any env: overrides in settings.json. This causes all HTTP clients to bypass the proxy for localhost, then fail because the host service is not in the sandbox's network namespace.
Root Cause
The sandbox HTTP proxy (:3128) is the only egress path from the sandbox's network namespace. allowedDomains controls what that proxy will forward — but NO_PROXY=localhost prevents clients from ever reaching the proxy for localhost connections. The two mechanisms are at cross-purposes.
What I Tried
| Setting | Outcome |
|---|---|
| allowedDomains: ["localhost", "127.0.0.1"] | Adds to session allowedHosts but no_proxy bypass prevents proxy routing |
| excludedCommands: ["firecrawl"] | Does not appear to take effect |
| env: { "NO_PROXY": "127.0.0.1,..." } (without localhost) | Sandbox overwrites NO_PROXY at runtime, ignoring settings.json |
Suggested Fix
One of:
- Exclude hosts listed in
allowedDomainsfrom the auto-injectedNO_PROXY, so proxy routing applies to them - Make
excludedCommandsreliably exempt commands from the sandbox network namespace - Document this limitation with a supported workaround for reaching host-local services
Workaround
Using dangerouslyDisableSandbox: true on individual Bash calls works but requires per-call approval and is not available within skill-invoked commands.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗