[Field Report] Chrome 136+ binds CDP to [::1] (IPv6) on Windows — portproxy v4tov4 breaks silently

[Owlock]

OpenClaw version: 2026.3.13 (61d171a) → updated recently to latest
OS: Windows 10 x64 + WSL2
Chrome version: 146.0.7680.154
Reported by: @Owlock (contributor, PR #39407 merged)

---

Summary

After a PC reboot, openclaw browser tabs --browser-profile remote returned no tabs.
Root cause: Chrome 136+ on Windows ignores --remote-debugging-address=127.0.0.1 and binds CDP to [::1]:9222 (IPv6 loopback) instead of 127.0.0.1:9222 (IPv4). The existing portproxy v4tov4 → 127.0.0.1:9222 fails silently because Chrome no longer listens on that IPv4 address. No error is surfaced by OpenClaw diagnostics.

---

Diagnosis steps

curl.exe http://[::1]:9222/json/version # → 200 OK ✅
curl.exe http://127.0.0.1:9222/json/version # → curl: (52) Empty reply ❌

netstat -ano | findstr :9222
# TCP [::1]:9222 LISTENING <chrome_pid> ← IPv6 only

---

Fix

Replace v4tov4 portproxy rules with v4tov6 pointing to ::1. PowerShell Admin (one by one):

netsh interface portproxy reset
netsh interface portproxy add v4tov6 listenaddress=127.0.0.1 listenport=9222 connectaddress=::1 connectport=9222
netsh interface portproxy add v4tov6 listenaddress=172.30.144.1 listenport=9222 connectaddress=::1 connectport=9222

After this, both curl.exe http://127.0.0.1:9222/json/version and curl.exe http://172.30.144.1:9222/json/version return Chrome JSON correctly.

---

Why this happens

Chrome has been hardening remote debugging security since v136. The --remote-debugging-address flag is now ignored internally. On Windows, Chrome resolves localhost as IPv6-first (::1), so the CDP listener ends up on [::1] rather than 127.0.0.1.

Reference: https://developer.chrome.com/blog/remote-debugging-port

---

Suggested improvements to OpenClaw

1. Doc update: The WSL2 + Windows CDP guide (PR docs: add WSL2 + Windows remote Chrome CDP troubleshooting guide #39407) should note that on Chrome 136+, netstat -ano | findstr :9222 should be run to detect IPv4 vs IPv6 binding, and portproxy should use v4tov6 accordingly.

2. openclaw doctor enhancement: Add a check that tests both 127.0.0.1:9222 AND [::1]:9222 — the current silent failure gives no hint that Chrome changed its binding address.

Note: Windows Test Mode (TESTSIGNING ON) was confirmed to have no effect on this issue.

[bek91]

#68666 appears to describe the same underlying WSL2/Windows CDP issue.

Useful extra details from that report:

• Reproduced on Windows 11 + WSL2 Ubuntu with OpenClaw 2026.4.15 and Chrome 147.
• The current WSL2 troubleshooting docs recommend a v4tov4 portproxy rule:

  netsh interface portproxy add v4tov4 listenport=9222 listenaddress=0.0.0.0 connectport=9222 connectaddress=127.0.0.1

but this fails when Chrome only responds on [::1]:9222.

Behavior:

• curl http://:9222/json/version from WSL2 → empty reply
• curl http://127.0.0.1:9222/json/version from Windows → empty reply
• curl http://[::1]:9222/json/version from Windows → 200 OK

The duplicate suggests replacing the docs’ v4tov4 rule with v4tov6:

netsh interface portproxy delete v4tov4 listenport=9222 listenaddress=0.0.0.0
netsh interface portproxy add v4tov6 listenport=9222 listenaddress=0.0.0.0 connectport=9222 connectaddress=::1

It also reports that Chrome 147 may require --user-data-dir to point to a non-default directory before CDP HTTP endpoints respond:

chrome.exe --remote-debugging-port=9222 --remote-debugging-address=0.0.0.0 --user-data-dir="C:\ChromeDebug" --no-first-run --remote-allow-origins="*"

Suggested doc update target: https://docs.openclaw.ai/tools/browser-wsl2-windows-remote-cdp-troubleshooting

This reinforces that the docs should recommend diagnosing IPv4 vs IPv6 CDP binding and using v4tov6 when Chrome is listening on [::1].

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still has the documented WSL2 + Windows Chrome CDP IPv4-only guidance and generic browser diagnostics, while the duplicate report was closed into this issue as the canonical tracker.

Reproducibility: yes. The issue and #68666 provide concrete Windows/WSL2 curl and netstat steps, and current-main source inspection reproduces the OpenClaw-side gap by showing the docs and doctor/status paths still do not mention [::1] or v4tov6.

Next step
Queue a narrow repair because the affected docs, browser diagnostic surface, related duplicate, likely files, and validation path are clear without a product decision.

Review details

Best possible solution:

Update the WSL2 browser guide with IPv4/IPv6 CDP diagnosis and v4tov6 portproxy guidance, then add a scoped browser doctor/status hint for the Windows Chrome loopback mismatch.

Do we have a high-confidence way to reproduce the issue?

Yes. The issue and #68666 provide concrete Windows/WSL2 curl and netstat steps, and current-main source inspection reproduces the OpenClaw-side gap by showing the docs and doctor/status paths still do not mention [::1] or v4tov6.

Is this the best way to solve the issue?

Yes. The narrow docs update plus a browser doctor/status hint is the maintainable path; changing generic CDP transport or auto-managing Windows portproxy would be broader and more security-sensitive.

Acceptance criteria:

• pnpm docs:check-mdx
• pnpm docs:check-links
• pnpm test extensions/browser/src/browser/doctor.test.ts extensions/browser/src/browser/chrome.test.ts extensions/browser/src/cli/browser-cli-manage.test.ts
• pnpm check:changed

What I checked:

• WSL2 CDP guide remains IPv4-only: The guide starts Windows Chrome on port 9222 and verifies only http://127.0.0.1:9222 plus the WSL2-reachable Windows host address; it does not mention checking http://[::1]:9222, netstat listener family, or v4tov6 portproxy. Public docs: docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md. (docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md:76, 14b5f73e2a5e)
• Fast checklist omits IPv6 diagnosis: The checklist still asks only whether Windows-side 127.0.0.1 and WSL2-side WINDOWS_HOST_OR_IP work, leaving the reported IPv6-only listener path undocumented. Public docs: docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md. (docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md:197, 14b5f73e2a5e)
• Nearby portproxy docs are not CDP guidance: The Windows platform page's v4tov4 portproxy section is for exposing services running inside WSL over LAN, not forwarding Windows Chrome's IPv6 loopback CDP listener back to WSL2. Public docs: docs/platforms/windows.md. (docs/platforms/windows.md:138, 14b5f73e2a5e)
• Browser doctor hints remain generic: The CDP HTTP/WebSocket checks advise inspecting browser.cdpUrl, launch logs, proxy env, stale locks, and port conflicts, with no Windows IPv6 loopback or portproxy mismatch hint. (extensions/browser/src/browser/doctor.ts:109, 14b5f73e2a5e)
• Status probes only the selected endpoint: Browser status computes cdpHttp and cdpReady from the resolved profile endpoint only; it does not compare a failing configured IPv4 endpoint with a Windows-side IPv6 listener. (extensions/browser/src/browser/routes/basic.ts:72, 14b5f73e2a5e)
• Diagnostic taxonomy has no portproxy case: CDP diagnostics classify version-read failures as generic HTTP/JSON/WebSocket/SSRF cases; there is no Windows IPv6 loopback or portproxy mismatch code or hint. (extensions/browser/src/browser/chrome.diagnostics.ts:19, 14b5f73e2a5e)

Likely related people:

• Peter Steinberger: Git history for the WSL2 CDP guide and browser diagnostics shows Peter merged the guide PR and recently changed CDP startup diagnostics and browser ownership paths. (role: recent maintainer and merger; confidence: high; commits: 9d467d1620d2, 58da2f5897fe, 8eeb7f082975; files: docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md, extensions/browser/src/browser/chrome.diagnostics.ts, extensions/browser/src/browser/doctor.ts)
• Owlock: Provided GitHub context says Owlock authored merged PR docs: add WSL2 + Windows remote Chrome CDP troubleshooting guide #39407, which added the WSL2 Windows remote Chrome CDP guide now missing the Chrome IPv6 binding update, and also filed this field report. (role: introduced related docs and domain reporter; confidence: medium; commits: 9d467d1620d2; files: docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md, docs/docs.json)

Remaining risk / open question:

• Chrome's Windows CDP binding behavior varies by version/channel, so docs should make v4tov6 conditional on curl/netstat evidence instead of presenting it as universal.
• A diagnostic fix must preserve existing CDP endpoint SSRF checks and avoid recommending broad remote-debugging exposure without local firewall/context caveats.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 14b5f73e2a5e.