Guard current browser tab exports (#75731)

eleqtrizit · drobison00 · web-flow · commit ef0dbcf49d85 · 2026-05-04T14:07:17.000-06:00
* fix(browser): guard current tab exports * fix(browser): expand tab guard coverage * fix(browser): guard tab reads * fix(browser): guard screenshot route * changelog: PR #75731 --------- Co-authored-by: Devin Robison <drobison@nvidia.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -212,6 +212,7 @@ Docs: https://docs.openclaw.ai
 - Security/Windows: pin Windows registry-probe `reg.exe` resolution to the canonical Windows install root in install-root probing, so `SystemRoot`/`WINDIR` env overrides cannot redirect registry queries during Windows host detection. (#74454) Thanks @mmaps.
 - QQBot: preserve the framework command authorization decision when converting framework command contexts into engine slash command contexts, so downstream slash handlers see `commandAuthorized` matching the channel's resolved `isAuthorizedSender` instead of a hardcoded `true`. (#77453) Thanks @drobison00.
 - Security/Windows: block `LOCALAPPDATA` from workspace `.env` and resolve Windows update-flow portable Git path prepends from the trusted process-local `LOCALAPPDATA` only, so workspace-supplied values cannot redirect `git` discovery during `openclaw update`. (#77470) Thanks @drobison00.
+- Browser/SSRF: enforce the existing current-tab URL navigation policy before tab-scoped debug, export, and read routes (console, page errors, network requests, trace start/stop, response body, screenshot, snapshot, storage, etc.) collect from an already-selected tab, so blocked tabs return a policy error instead of being read first and redacted only at response time. (#75731) Thanks @eleqtrizit.
 
 ## 2026.5.3-1
 
diff --git a/extensions/browser/src/browser/routes/agent.act.ts b/extensions/browser/src/browser/routes/agent.act.ts
@@ -695,6 +695,7 @@ export function registerBrowserAgentActRoutes(
         res,
         ctx,
         targetId,
+        enforceCurrentUrlAllowed: true,
         run: async ({ profileCtx, cdpUrl, tab, resolveTabUrl }) => {
           if (getBrowserProfileCapabilities(profileCtx.profile).usesChromeMcp) {
             return jsonError(res, 501, EXISTING_SESSION_LIMITS.responseBody);
diff --git a/extensions/browser/src/browser/routes/agent.debug.ts b/extensions/browser/src/browser/routes/agent.debug.ts
@@ -29,6 +29,7 @@ export function registerBrowserAgentDebugRoutes(
         ctx,
         targetId,
         feature: "console messages",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw, resolveTabUrl }) => {
           const messages = await pw.getConsoleMessagesViaPlaywright({
             cdpUrl,
@@ -54,6 +55,7 @@ export function registerBrowserAgentDebugRoutes(
         ctx,
         targetId,
         feature: "page errors",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw, resolveTabUrl }) => {
           const result = await pw.getPageErrorsViaPlaywright({
             cdpUrl,
@@ -80,6 +82,7 @@ export function registerBrowserAgentDebugRoutes(
         ctx,
         targetId,
         feature: "network requests",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw, resolveTabUrl }) => {
           const result = await pw.getNetworkRequestsViaPlaywright({
             cdpUrl,
@@ -109,6 +112,7 @@ export function registerBrowserAgentDebugRoutes(
         ctx,
         targetId,
         feature: "trace start",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw, resolveTabUrl }) => {
           await pw.traceStartViaPlaywright({
             cdpUrl,
@@ -137,6 +141,7 @@ export function registerBrowserAgentDebugRoutes(
         ctx,
         targetId,
         feature: "trace stop",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw, resolveTabUrl }) => {
           const id = crypto.randomUUID();
           const tracePath = await resolveWritableOutputPathOrRespond({
diff --git a/extensions/browser/src/browser/routes/agent.shared.test.ts b/extensions/browser/src/browser/routes/agent.shared.test.ts
@@ -1,10 +1,13 @@
-import { describe, expect, it } from "vitest";
+import { describe, expect, it, vi } from "vitest";
+import type { BrowserRouteContext, ProfileContext } from "../server-context.js";
 import {
   readBody,
   resolveSafeRouteTabUrl,
   resolveTargetIdFromBody,
   resolveTargetIdFromQuery,
+  withRouteTabContext,
 } from "./agent.shared.js";
+import { createBrowserRouteResponse } from "./test-helpers.js";
 import type { BrowserRequest } from "./types.js";
 
 function requestWithBody(body: unknown): BrowserRequest {
@@ -36,6 +39,31 @@ function profileContext(tabs: Array<{ targetId: string; url: string }>) {
   };
 }
 
+function routeContextForTab(url: string): BrowserRouteContext {
+  const profileCtx = {
+    profile: {
+      cdpUrl: "http://127.0.0.1:9222",
+      name: "default",
+    },
+    ensureTabAvailable: vi.fn(async () => ({
+      targetId: "tab-1",
+      title: "Tab",
+      url,
+      type: "page",
+    })),
+  } as unknown as ProfileContext;
+
+  return {
+    forProfile: () => profileCtx,
+    state: () => ({
+      resolved: {
+        ssrfPolicy: {},
+      },
+    }),
+    mapTabError: () => null,
+  } as unknown as BrowserRouteContext;
+}
+
 describe("browser route shared helpers", () => {
   describe("readBody", () => {
     it("returns object bodies", () => {
@@ -100,4 +128,44 @@ describe("browser route shared helpers", () => {
       ).resolves.toBeUndefined();
     });
   });
+
+  describe("withRouteTabContext", () => {
+    it("does not enforce current-tab URL policy unless requested", async () => {
+      const response = createBrowserRouteResponse();
+      const run = vi.fn(async () => {
+        response.res.json({ ok: true });
+      });
+
+      await withRouteTabContext({
+        req: requestWithBody({}),
+        res: response.res,
+        ctx: routeContextForTab("http://127.0.0.1:8080/admin"),
+        run,
+      });
+
+      expect(run).toHaveBeenCalledOnce();
+      expect(response.body).toEqual({ ok: true });
+    });
+
+    it("blocks guarded routes before running on a disallowed current tab", async () => {
+      const response = createBrowserRouteResponse();
+      const run = vi.fn(async () => {
+        response.res.json({ ok: true });
+      });
+
+      await withRouteTabContext({
+        req: requestWithBody({}),
+        res: response.res,
+        ctx: routeContextForTab("http://127.0.0.1:8080/admin"),
+        enforceCurrentUrlAllowed: true,
+        run,
+      });
+
+      expect(run).not.toHaveBeenCalled();
+      expect(response.statusCode).toBe(400);
+      expect(response.body).toMatchObject({ error: expect.any(String) });
+      const body = response.body as { error?: unknown };
+      expect(body.error).not.toBe("");
+    });
+  });
 });
diff --git a/extensions/browser/src/browser/routes/agent.shared.ts b/extensions/browser/src/browser/routes/agent.shared.ts
@@ -107,6 +107,11 @@ type RouteWithTabParams<T> = {
   res: BrowserResponse;
   ctx: BrowserRouteContext;
   targetId?: string;
+  /**
+   * Set for routes that read from or return data scoped to the selected tab.
+   * Leave false only for routes that navigate, activate, close, or otherwise manage the tab.
+   */
+  enforceCurrentUrlAllowed?: boolean;
   run: (ctx: RouteTabContext) => Promise<T>;
 };
 
@@ -119,6 +124,17 @@ export async function withRouteTabContext<T>(
   }
   try {
     const tab = await profileCtx.ensureTabAvailable(params.targetId);
+    if (params.enforceCurrentUrlAllowed) {
+      await assertBrowserNavigationResultAllowed({
+        url: tab.url,
+        ...withBrowserNavigationPolicy(params.ctx.state().resolved.ssrfPolicy, {
+          browserProxyMode: resolveBrowserNavigationProxyMode({
+            resolved: params.ctx.state().resolved,
+            profile: profileCtx.profile,
+          }),
+        }),
+      });
+    }
     return await params.run({
       profileCtx,
       tab,
@@ -137,6 +153,10 @@ export async function withRouteTabContext<T>(
   }
 }
 
+/**
+ * Response-only URL redaction. This swallows policy failures and must not be used as
+ * an execution gate; use enforceCurrentUrlAllowed on the route helper instead.
+ */
 export async function resolveSafeRouteTabUrl(params: {
   ctx: BrowserRouteContext;
   profileCtx: ProfileContext;
@@ -171,6 +191,11 @@ type RouteWithPwParams<T> = {
   ctx: BrowserRouteContext;
   targetId?: string;
   feature: string;
+  /**
+   * Set for routes that read from or return data scoped to the selected tab.
+   * Leave false only for routes that navigate, activate, close, or otherwise manage the tab.
+   */
+  enforceCurrentUrlAllowed?: boolean;
   run: (ctx: RouteTabPwContext) => Promise<T>;
 };
 
@@ -182,6 +207,7 @@ export async function withPlaywrightRouteContext<T>(
     res: params.res,
     ctx: params.ctx,
     targetId: params.targetId,
+    enforceCurrentUrlAllowed: params.enforceCurrentUrlAllowed,
     run: async ({ profileCtx, tab, cdpUrl, resolveTabUrl }) => {
       const pw = await requirePwAi(params.res, params.feature);
       if (!pw) {
diff --git a/extensions/browser/src/browser/routes/agent.snapshot.ts b/extensions/browser/src/browser/routes/agent.snapshot.ts
@@ -318,6 +318,7 @@ export function registerBrowserAgentSnapshotRoutes(
         ctx,
         targetId,
         feature: "pdf",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw }) => {
           const pdf = await pw.pdfViaPlaywright({
             cdpUrl,
@@ -361,18 +362,12 @@ export function registerBrowserAgentSnapshotRoutes(
         res,
         ctx,
         targetId,
+        enforceCurrentUrlAllowed: true,
         run: async ({ profileCtx, tab, cdpUrl }) => {
           if (getBrowserProfileCapabilities(profileCtx.profile).usesChromeMcp) {
-            const ssrfPolicyOpts = browserNavigationPolicyForProfile(ctx, profileCtx);
             if (element) {
               return jsonError(res, 400, EXISTING_SESSION_LIMITS.snapshot.screenshotElement);
             }
-            if (ssrfPolicyOpts.ssrfPolicy) {
-              await assertBrowserNavigationResultAllowed({
-                url: tab.url,
-                ...ssrfPolicyOpts,
-              });
-            }
             if (labels) {
               const snapshot = await takeChromeMcpSnapshot({
                 profileName: profileCtx.profile.name,
diff --git a/extensions/browser/src/browser/routes/agent.storage.ts b/extensions/browser/src/browser/routes/agent.storage.ts
@@ -85,6 +85,7 @@ export function registerBrowserAgentStorageRoutes(
         ctx,
         targetId,
         feature: "cookies",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw }) => {
           const result = await pw.cookiesGetViaPlaywright({
             cdpUrl,
@@ -109,6 +110,7 @@ export function registerBrowserAgentStorageRoutes(
         return jsonError(res, 400, "cookie is required");
       }
 
+      // Intentional: mutation routes are outside the tab-scoped read/export guard scope.
       await withPlaywrightRouteContext({
         req,
         res,
@@ -148,6 +150,7 @@ export function registerBrowserAgentStorageRoutes(
       const body = readBody(req);
       const targetId = resolveTargetIdFromBody(body);
 
+      // Intentional: mutation routes are outside the tab-scoped read/export guard scope.
       await withPlaywrightRouteContext({
         req,
         res,
@@ -181,6 +184,7 @@ export function registerBrowserAgentStorageRoutes(
         ctx,
         targetId,
         feature: "storage get",
+        enforceCurrentUrlAllowed: true,
         run: async ({ cdpUrl, tab, pw }) => {
           const result = await pw.storageGetViaPlaywright({
             cdpUrl,
@@ -207,6 +211,7 @@ export function registerBrowserAgentStorageRoutes(
       }
       const value = typeof mutation.body.value === "string" ? mutation.body.value : "";
 
+      // Intentional: mutation routes are outside the tab-scoped read/export guard scope.
       await withPlaywrightRouteContext({
         req,
         res,
@@ -235,6 +240,7 @@ export function registerBrowserAgentStorageRoutes(
         return;
       }
 
+      // Intentional: mutation routes are outside the tab-scoped read/export guard scope.
       await withPlaywrightRouteContext({
         req,
         res,
@@ -263,6 +269,7 @@ export function registerBrowserAgentStorageRoutes(
         return jsonError(res, 400, "offline is required");
       }
 
+      // Intentional: mutation routes are outside the tab-scoped read/export guard scope.
       await withPlaywrightRouteContext({
         req,
         res,
@@ -301,6 +308,7 @@ export function registerBrowserAgentStorageRoutes(
         }
       }
 
+      // Intentional: mutation routes are outside the tab-scoped read/export guard scope.
       await withPlaywrightRouteContext({
         req,
         res,
diff --git a/extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts b/extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts
diff --git a/extensions/browser/src/browser/server.control-server.test-harness.ts b/extensions/browser/src/browser/server.control-server.test-harness.ts
