Browser allowlist
Per-workspace control over which domains the browser tool can visit.
Open the UI
⌘⇧B (or Ctrl+Shift+B) opens the allowlist modal. Also reachable via the Allowed sites chip in the top bar.
What's in it
A two-column layout:
- Left — a search field and category list of common domains: Google, GitHub, AWS, Stripe, OpenAI, Anthropic, etc.
- Right — your current allowlist.
How to add
Click any preset to add it. Or type a domain in the "Custom" field — wildcards (*.example.com) are supported.
Changes save immediately via PUT /api/browser/allowlist. No restart needed.
How to remove
Click the × on any allowed entry. Removed instantly.
Default state
A new workspace starts with an empty allowlist. The agent can only visit allowlisted domains. This is intentional — secure-by-default.
Domain matching
| Pattern | Matches |
|---|---|
example.com | example.com only (not subdomains). |
*.example.com | any subdomain (a.example.com, b.example.com). |
* | wildcard — don't use this in production. |
The matcher checks the registrable domain of the requested URL, not just the hostname. This prevents bypass via redirects.
What "allowed" means
- The agent's
browser_opentool may navigate to allowed domains. - The agent's
fetch_urltool may fetch from allowed domains. - The preview iframe is not subject to this allowlist (previews are workspace-rendered, not external).
Audit
Every browser/fetch call is logged in the receipt with the URL. If the call was rejected by the allowlist, the receipt records guards.egress: "block" and the URL.