Summary
Custom CDP/browser-connect trust semantics are still underspecified.
Verified current behavior
- Hermes intentionally skips SSRF checks for local browser backends.
tests/tools/test_browser_ssrf_local.py encodes that contract.tools/browser_tool.py handles explicit BROWSER_CDP_URL / custom CDP overrides separately, but trust semantics for non-loopback or tunneled endpoints are still unclear.
Why this matters
- "Loopback hostname" is not a sufficient trust model on its own.
- SSH tunnels and forwarded ports can make remote browsers look local.
- A naive hardening pass risks both false confidence and workflow breakage.
Scope
- Define the trust model for custom CDP endpoints.
- Preserve current localhost/local-backend behavior unless intentionally changed.
- Add tests for loopback, non-loopback, and tunneled/explicitly-trusted cases.
Non-goals
- Do not ship a one-line host-based restriction and call the problem solved.
- Do not change generic local-browser behavior in the same issue.
Acceptance criteria
- Custom CDP trust behavior is explicit.
- SSRF expectations for cloud, local, and custom CDP modes are covered by tests.
- Backward-compatibility tradeoffs are documented.
Summary
Custom CDP/browser-connect trust semantics are still underspecified.
Verified current behavior
tests/tools/test_browser_ssrf_local.pyencodes that contract.tools/browser_tool.pyhandles explicitBROWSER_CDP_URL/ custom CDP overrides separately, but trust semantics for non-loopback or tunneled endpoints are still unclear.Why this matters
Scope
Non-goals
Acceptance criteria