[BUG] sandbox.network.allowedDomains cannot allow localhost — NO_PROXY bypass prevents proxy routing to local services

Resolved 💬 2 comments Opened Jun 4, 2026 by fstollar Closed Jun 8, 2026

Summary

When using the local Claude Code sandbox (Linux/bwrap), sandbox.network.allowedDomains: ["localhost", "127.0.0.1"] does not allow connections to locally-running services. The sandbox sets NO_PROXY=localhost,127.0.0.1,... at runtime, which causes HTTP clients (curl, Node.js fetch, etc.) to bypass the sandbox proxy and connect directly to localhost — but direct TCP connections fail in the sandbox's network namespace because host services are not visible there.

Environment

  • Platform: Linux (VSCodium extension)
  • Sandbox: enabled (bwrap)

Steps to Reproduce

  1. Run a local HTTP service on localhost:PORT (e.g. a self-hosted Firecrawl instance on :3002)
  2. Add to ~/.claude/settings.json:

``json
{
"sandbox": {
"enabled": true,
"network": {
"allowLocalBinding": true,
"allowedDomains": ["localhost", "127.0.0.1"]
}
}
}
``

  1. From a Claude Code Bash tool call, attempt: curl http://localhost:3002/...

Expected

Connection succeeds — allowedDomains should allow the sandbox proxy to forward traffic to localhost:PORT.

Actual

curl: (7) Failed to connect to localhost port 3002: Connection refused

Verbose output reveals the cause:

* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,::1,...'
* Trying 127.0.0.1:3002...
* connect ECONNREFUSED 127.0.0.1:3002

The sandbox injects NO_PROXY=localhost,127.0.0.1,... at runtime, overriding any env: overrides in settings.json. This causes all HTTP clients to bypass the proxy for localhost, then fail because the host service is not in the sandbox's network namespace.

Root Cause

The sandbox HTTP proxy (:3128) is the only egress path from the sandbox's network namespace. allowedDomains controls what that proxy will forward — but NO_PROXY=localhost prevents clients from ever reaching the proxy for localhost connections. The two mechanisms are at cross-purposes.

What I Tried

| Setting | Outcome |
|---|---|
| allowedDomains: ["localhost", "127.0.0.1"] | Adds to session allowedHosts but no_proxy bypass prevents proxy routing |
| excludedCommands: ["firecrawl"] | Does not appear to take effect |
| env: { "NO_PROXY": "127.0.0.1,..." } (without localhost) | Sandbox overwrites NO_PROXY at runtime, ignoring settings.json |

Suggested Fix

One of:

  1. Exclude hosts listed in allowedDomains from the auto-injected NO_PROXY, so proxy routing applies to them
  2. Make excludedCommands reliably exempt commands from the sandbox network namespace
  3. Document this limitation with a supported workaround for reaching host-local services

Workaround

Using dangerouslyDisableSandbox: true on individual Bash calls works but requires per-call approval and is not available within skill-invoked commands.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗