[DOCS] Permissions page does not document `WebFetch(domain:*.example.com)` wildcard subdomain matching syntax

Open 💬 0 comments Opened Jun 10, 2026 by coygeek

Documentation Type

Missing documentation

Documentation Location

https://code.claude.com/docs/en/permissions

Section/Topic

The "WebFetch" examples (around line 80) and the "WebFetch" subsection in the tool reference list (around line 255–260)

Current Documentation

WebFetch(domain:example.com) | Matches fetch requests to example.com
* WebFetch(domain:example.com) matches fetch requests to example.com

The wildcard patterns section (~line 82–107) only describes Bash rule wildcards, not WebFetch domain rules.

What's Wrong or Missing?

The v2.1.172 release notes ship a fix to wildcard subdomain matching:

Fixed WebFetch(domain:*.example.com) wildcard domain rules never matching subdomains in allow, deny, and ask position

WebFetch(domain:*.example.com) now correctly matches sub.example.com, a.b.example.com, etc. The page never documents the syntax at all, so users couldn't write the rule that now works.

Suggested Improvement

Update the WebFetch example and bullet to:

WebFetch(domain:example.com) | Matches fetch requests to example.com exactly WebFetch(domain:*.example.com) | Matches example.com and any subdomain (e.g. api.example.com, docs.example.com)

And add a short note in the WebFetch section:

Use *.example.com (wildcard at the start, with the dot) to match the apex domain and all of its subdomains. Bare * is not supported in WebFetch(domain:...) rules; the wildcard must be on the leftmost label.

Impact

Medium - Makes feature difficult to understand

Additional Context

Version: v2.1.172. The same release also fixed Read(secrets-*/config.json) mid-pattern wildcards being rejected at startup, but the Permissions page's Bash/file rule section already shows mid-pattern *; only WebFetch domain rules need new text.

View original on GitHub ↗