From 1dabfef28db523e7de81edeb3dd689e9171236a2 Mon Sep 17 00:00:00 2001
From: Ayaan Zaidi <hi@obviy.us>
Date: Tue, 14 Apr 2026 12:22:14 +0530
Subject: [PATCH] fix(browser): preserve explicit strict SSRF config

---
 extensions/browser/src/browser/config.test.ts | 2 +-
 extensions/browser/src/browser/config.ts      | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/extensions/browser/src/browser/config.test.ts b/extensions/browser/src/browser/config.test.ts
index 2adfa097e90..30f1e266ce0 100644
--- a/extensions/browser/src/browser/config.test.ts
+++ b/extensions/browser/src/browser/config.test.ts
@@ -318,7 +318,7 @@ describe("browser config", () => {
         dangerouslyAllowPrivateNetwork: false,
       },
     });
-    expect(resolved.ssrfPolicy).toEqual({});
+    expect(resolved.ssrfPolicy).toEqual({ dangerouslyAllowPrivateNetwork: false });
   });
 
   it("keeps allowlist-only browser SSRF policy strict by default", () => {
diff --git a/extensions/browser/src/browser/config.ts b/extensions/browser/src/browser/config.ts
index e2f6a69772d..87f6a0a517a 100644
--- a/extensions/browser/src/browser/config.ts
+++ b/extensions/browser/src/browser/config.ts
@@ -149,7 +149,9 @@ function resolveBrowserSsrFPolicy(cfg: BrowserConfig | undefined): SsrFPolicy |
   }
 
   return {
-    ...(resolvedAllowPrivateNetwork ? { dangerouslyAllowPrivateNetwork: true } : {}),
+    ...(resolvedAllowPrivateNetwork || dangerouslyAllowPrivateNetwork === false
+      ? { dangerouslyAllowPrivateNetwork: resolvedAllowPrivateNetwork }
+      : {}),
     ...(allowedHostnames ? { allowedHostnames } : {}),
     ...(hostnameAllowlist ? { hostnameAllowlist } : {}),
   };