Align external marker span mapping (#63885)

* fix(markers): align external marker spans * fix(browser): ssrfPolicy defaults fail-closed for unconfigured installs (GHSA-53vx-pmqw-863c) * fix(browser): enforce strict default SSRF policy * chore(changelog): add browser SSRF default + marker alignment entry --------- Co-authored-by: Devin Robison <drobison@nvidia.com>
2026-05-05 09:20:22 +00:00 · 2026-04-10 11:35:20 -07:00
parent daeb74920d
commit 905f19230a
11 changed files with 97 additions and 37 deletions
--- a/src/config/schema.base.generated.ts
+++ b/src/config/schema.base.generated.ts
@@ -618,7 +618,7 @@ export const GENERATED_BASE_CONFIG_SCHEMA: BaseConfigSchemaResponse = {
                type: "boolean",
                title: "Browser Dangerously Allow Private Network",
                description:
-                  "Allows access to private-network address ranges from browser tooling. Default is enabled for trusted-network operator setups; disable to enforce strict public-only resolution checks.",
+                  "Allows access to private-network address ranges from browser tooling. Default is disabled when unset; enable only for explicitly trusted private-network destinations.",
              },
              allowedHostnames: {
                type: "array",
@@ -25435,7 +25435,7 @@ export const GENERATED_BASE_CONFIG_SCHEMA: BaseConfigSchemaResponse = {
    },
    "browser.ssrfPolicy.dangerouslyAllowPrivateNetwork": {
      label: "Browser Dangerously Allow Private Network",
-      help: "Allows access to private-network address ranges from browser tooling. Default is enabled for trusted-network operator setups; disable to enforce strict public-only resolution checks.",
+      help: "Allows access to private-network address ranges from browser tooling. Default is disabled when unset; enable only for explicitly trusted private-network destinations.",
      tags: ["security", "access", "advanced"],
    },
    "browser.ssrfPolicy.allowedHostnames": {
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -267,7 +267,7 @@ export const FIELD_HELP: Record<string, string> = {
  "browser.ssrfPolicy":
    "Server-side request forgery guardrail settings for browser/network fetch paths that could reach internal hosts. Keep restrictive defaults in production and open only explicitly approved targets.",
  "browser.ssrfPolicy.dangerouslyAllowPrivateNetwork":
-    "Allows access to private-network address ranges from browser tooling. Default is enabled for trusted-network operator setups; disable to enforce strict public-only resolution checks.",
+    "Allows access to private-network address ranges from browser tooling. Default is disabled when unset; enable only for explicitly trusted private-network destinations.",
  "browser.ssrfPolicy.allowedHostnames":
    "Explicit hostname allowlist exceptions for SSRF policy checks on browser/network requests. Keep this list minimal and review entries regularly to avoid stale broad access.",
  "browser.ssrfPolicy.hostnameAllowlist":