mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-12 17:51:22 +00:00
48c0347921
* fix: in the browser extension s tabs action route the (#310) * fix(browser): fail closed for tab close and CDP redirects * fix(browser): sanitize tab SSRF policy errors * chore(changelog): add browser tabs action policy enforcement entry * fix(browser): differentiate CDP endpoint blocks from navigation blocks in error mapping Split SsrFBlockedError handling so navigation-target policy failures (from assertBrowserNavigationAllowed) surface as 'browser navigation blocked by policy' while CDP endpoint policy failures (from assertCdpEndpointAllowed) surface as 'browser endpoint blocked by policy'. Both stay sanitized so raw policy details still do not leak to callers. - Add BrowserCdpEndpointBlockedError (extends BrowserError, 400). - assertCdpEndpointAllowed now catches SsrFBlockedError and rethrows as BrowserCdpEndpointBlockedError so the route error mapping can route endpoint vs navigation failures to the right user-facing message without inspecting stack strings. - toBrowserErrorResponse: raw SsrFBlockedError now maps to the navigation-blocked message; endpoint-blocked errors are handled by the existing BrowserError branch and keep the endpoint-blocked message. - Update tests that exercised the endpoint path to assert the new error class instead of the raw SSRF message. * fix(browser): move SSRF check after cache hit and thread ssrfPolicy through tryTerminateExecutionViaCdp - connectBrowser: move assertCdpEndpointAllowed after cache lookup so transient DNS failures don't break active cached sessions. - tryTerminateExecutionViaCdp: accept ssrfPolicy and run assertCdpEndpointAllowed before HTTP/WS I/O so the terminate path doesn't bypass SSRF policy enforcement. - forceDisconnectPlaywrightForTarget: thread ssrfPolicy through to tryTerminateExecutionViaCdp. * fix(browser): drop redundant pre-Playwright SSRF checks so cached sessions survive DNS blips Remove assertProfileCdpEndpointAllowed() calls that precede Playwright-backed tab operations (listPagesViaPlaywright, focusPageByTargetIdViaPlaywright, closePageByTargetIdViaPlaywright) since connectBrowser already runs the check on cache miss. Keep the checks before raw CDP HTTP calls (fetchJson/fetchOk for /json/list, /json/activate, /json/close) where there is no connection cache. Add comment on fetchCdpChecked explaining why redirect blocking covers all CDP HTTP paths, not just probes.