diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 945a321f4..98e6d116d 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "bac98d42188127d5458a2aaca75987523ca1fc10", - "syncedAt": "2026-04-10T16:31:51.379Z" + "sha": "905f19230a1379ae3a4f3230a42acf55c5f3c8b1", + "syncedAt": "2026-04-10T18:36:08.874Z" } diff --git a/docs/gateway/configuration-reference.md b/docs/gateway/configuration-reference.md index 429d90a57..9c53e8198 100644 --- a/docs/gateway/configuration-reference.md +++ b/docs/gateway/configuration-reference.md @@ -2758,7 +2758,7 @@ See [Plugins](/tools/plugin). evaluateEnabled: true, defaultProfile: "user", ssrfPolicy: { - dangerouslyAllowPrivateNetwork: true, // default trusted-network mode + // dangerouslyAllowPrivateNetwork: true, // opt in only for trusted private-network access // allowPrivateNetwork: true, // legacy alias // hostnameAllowlist: ["*.example.com", "example.com"], // allowedHostnames: ["localhost"], @@ -2786,8 +2786,8 @@ See [Plugins](/tools/plugin). ``` - `evaluateEnabled: false` disables `act:evaluate` and `wait --fn`. -- `ssrfPolicy.dangerouslyAllowPrivateNetwork` defaults to `true` when unset (trusted-network model). -- Set `ssrfPolicy.dangerouslyAllowPrivateNetwork: false` for strict public-only browser navigation. +- `ssrfPolicy.dangerouslyAllowPrivateNetwork` is disabled when unset, so browser navigation stays strict by default. +- Set `ssrfPolicy.dangerouslyAllowPrivateNetwork: true` only when you intentionally trust private-network browser navigation. - In strict mode, remote CDP profile endpoints (`profiles.*.cdpUrl`) are subject to the same private-network blocking during reachability/discovery checks. - `ssrfPolicy.allowPrivateNetwork` remains supported as a legacy alias. - In strict mode, use `ssrfPolicy.hostnameAllowlist` and `ssrfPolicy.allowedHostnames` for explicit exceptions. diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 48ae234b1..338ca9a7b 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -1149,13 +1149,13 @@ access those accounts and data. Treat browser profiles as **sensitive state**: - Disable browser proxy routing when you don’t need it (`gateway.nodes.browser.mode="off"`). - Chrome MCP existing-session mode is **not** “safer”; it can act as you in whatever that host Chrome profile can reach. -### Browser SSRF policy (trusted-network default) +### Browser SSRF policy (strict by default) -OpenClaw’s browser network policy defaults to the trusted-operator model: private/internal destinations are allowed unless you explicitly disable them. +OpenClaw’s browser navigation policy is strict by default: private/internal destinations stay blocked unless you explicitly opt in. -- Default: `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork: true` (implicit when unset). +- Default: `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork` is unset, so browser navigation keeps private/internal/special-use destinations blocked. - Legacy alias: `browser.ssrfPolicy.allowPrivateNetwork` is still accepted for compatibility. -- Strict mode: set `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork: false` to block private/internal/special-use destinations by default. +- Opt-in mode: set `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork: true` to allow private/internal/special-use destinations. - In strict mode, use `hostnameAllowlist` (patterns like `*.example.com`) and `allowedHostnames` (exact host exceptions, including blocked names like `localhost`) for explicit exceptions. - Navigation is checked before request and best-effort re-checked on the final `http(s)` URL after navigation to reduce redirect-based pivots. diff --git a/docs/tools/browser.md b/docs/tools/browser.md index 01a3ff5e5..9510a1f5d 100644 --- a/docs/tools/browser.md +++ b/docs/tools/browser.md @@ -146,7 +146,7 @@ Browser settings live in `~/.openclaw/openclaw.json`. browser: { enabled: true, // default: true ssrfPolicy: { - dangerouslyAllowPrivateNetwork: true, // default trusted-network mode + // dangerouslyAllowPrivateNetwork: true, // opt in only for trusted private-network access // allowPrivateNetwork: true, // legacy alias // hostnameAllowlist: ["*.example.com", "example.com"], // allowedHostnames: ["localhost"], @@ -191,7 +191,7 @@ Notes: - `remoteCdpHandshakeTimeoutMs` applies to remote CDP WebSocket reachability checks. - Browser navigation/open-tab is SSRF-guarded before navigation and best-effort re-checked on final `http(s)` URL after navigation. - In strict SSRF mode, remote CDP endpoint discovery/probes (`cdpUrl`, including `/json/version` lookups) are checked too. -- `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork` defaults to `true` (trusted-network model). Set it to `false` for strict public-only browsing. +- `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork` is disabled by default. Set it to `true` only when you intentionally trust private-network browser access. - `browser.ssrfPolicy.allowPrivateNetwork` remains supported as a legacy alias for compatibility. - `attachOnly: true` means “never launch a local browser; only attach if it is already running.” - `color` + per-profile `color` tint the browser UI so you can see which profile is active.