Guard current browser tab exports

[eleqtrizit]

Summary

• Adds a shared current-tab URL gate for browser route handlers that inspect an already-selected tab before collecting output.
• Applies the gate to browser debug/export endpoints so blocked current tabs return an error before collection runs.

Changes

• Added enforceCurrentUrlAllowed to withRouteTabContext and withPlaywrightRouteContext, using the existing browser navigation result policy and proxy-mode handling.
• Enabled the gate on console, errors, requests, trace, and response body routes.
• Extended the browser route helper and control-server tests to cover strict current-tab blocking.

Validation

• corepack pnpm test -- extensions/browser/src/browser/routes/agent.shared.test.ts extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts
• corepack pnpm check
• corepack pnpm exec oxfmt --check extensions/browser/src/browser/routes/agent.shared.ts extensions/browser/src/browser/routes/agent.debug.ts extensions/browser/src/browser/routes/agent.act.ts extensions/browser/src/browser/routes/agent.shared.test.ts extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts extensions/browser/src/browser/server.control-server.test-harness.ts
• Local agentic review was attempted; the noninteractive review command did not complete with findings.

Notes

• No behavior changes for routes that do not opt into the current-tab gate.
• Repo-wide corepack pnpm format:check currently reports unrelated formatting drift outside this change.

[clawsweeper]

Codex review: needs changes before merge.

Summary
The PR adds an opt-in current-tab URL policy gate to browser route helpers, enables it for several browser debug/export/storage routes, expands tests, and adds a changelog entry.

Reproducibility: yes. Source inspection shows the latest PR head still routes GET /snapshot through direct tab resolution and CDP fallback paths without the new current-tab gate, while the guarded route matrix does not exercise /snapshot.

Next step before merge
A narrow automated repair can add the missing snapshot route guard and regression coverage without a product decision.

Security
Needs attention: The diff strengthens several browser SSRF paths but leaves a concrete snapshot read-route gap.

Review findings

• [P2] Gate the snapshot route before claiming coverage — CHANGELOG.md:211

Review details

Best possible solution:

Keep the shared opt-in guard, apply it to GET /snapshot before any backend collection or CDP fallback, and add HTTP-level regression coverage for a blocked current-tab snapshot.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows the latest PR head still routes GET /snapshot through direct tab resolution and CDP fallback paths without the new current-tab gate, while the guarded route matrix does not exercise /snapshot.

Is this the best way to solve the issue?

No, not yet. The shared helper is the right maintainable direction, but the PR should use it for snapshot before any collection path instead of relying on backend-specific checks and a changelog claim.

Full review comments:

• [P2] Gate the snapshot route before claiming coverage — CHANGELOG.md:211
  The new changelog says snapshot is covered by the current-tab policy gate, but the PR head still leaves GET /snapshot outside withRouteTabContext({ enforceCurrentUrlAllowed: true }). CDP fallback paths can still collect from a blocked current tab, so add the route-level guard plus regression coverage or remove snapshot from the claimed fixed surface.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.88

Security concerns:

• [medium] Snapshot read route remains outside the new gate — extensions/browser/src/browser/routes/agent.snapshot.ts:502
GET /snapshot can still reach snapshot collection paths without the new current-tab execution gate, including CDP fallback paths that do not receive an SSRF policy argument.
  Confidence: 0.86

Acceptance criteria:

• pnpm test extensions/browser/src/browser/routes/agent.shared.test.ts extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts extensions/browser/src/browser/routes/agent.snapshot.test.ts
• pnpm exec oxfmt --check --threads=1 extensions/browser/src/browser/routes/agent.shared.ts extensions/browser/src/browser/routes/agent.snapshot.ts extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts extensions/browser/src/browser/server.control-server.test-harness.ts CHANGELOG.md
• pnpm check:changed

What I checked:

• Protected label: The PR is open with the maintainer label, so it should not be cleanup-closed by this workflow even if the diff were otherwise obsolete.
• Current main lacks a pre-run route gate: On current main, withRouteTabContext resolves the selected tab and immediately invokes run; the existing resolveSafeRouteTabUrl path only redacts response URLs after collection. (extensions/browser/src/browser/routes/agent.shared.ts:121, edddb07f2055)
• PR adds the shared opt-in gate: The PR head adds enforceCurrentUrlAllowed and calls assertBrowserNavigationResultAllowed before the route callback when that flag is set. (extensions/browser/src/browser/routes/agent.shared.ts:127, 8f8a14c39da4)
• Snapshot remains outside the helper: At the PR head, GET /snapshot still resolves profileCtx and tab directly rather than using withRouteTabContext({ enforceCurrentUrlAllowed: true }). (extensions/browser/src/browser/routes/agent.snapshot.ts:502, 8f8a14c39da4)
• CDP snapshot fallback has no policy argument: The snapshot route can fall back to snapshotRoleViaCdp or direct snapshotAria, while the CDP helpers accept only wsUrl and snapshot options, so the route-level gate is needed before collection. (extensions/browser/src/browser/cdp.ts:456, edddb07f2055)
• PR test matrix omits snapshot: The new guarded route matrix covers console, errors, requests, pdf, screenshot, response body, cookies, storage, and trace routes, but it does not include /snapshot. (extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts:40, 8f8a14c39da4)

Likely related people:

• steipete: Recent path history shows repeated browser route work, including CDP role snapshot fallback and safe tab URL response handling. (role: recent browser route maintainer; confidence: high; commits: ed1ac2fc4492, 7132ca5766af; files: extensions/browser/src/browser/routes/agent.snapshot.ts, extensions/browser/src/browser/routes/agent.shared.ts)
• pgondhi987: Introduced prior snapshot/screenshot/tab SSRF enforcement work that is directly adjacent to this PR's behavior. (role: snapshot SSRF hardening contributor; confidence: medium; commits: b75ad800a590; files: extensions/browser/src/browser/routes/agent.snapshot.ts)
• eleqtrizit: Has prior merged work on strict browser hostname navigation and interaction-driven navigation guards, in addition to authoring this PR. (role: browser navigation guard contributor; confidence: medium; commits: 121c452d666d, 049acf23cb03; files: extensions/browser/src/browser/navigation-guard.ts, extensions/browser/src/browser/routes/agent.snapshot.ts)
• obviyus: Recent navigation-guard history includes default hostname SSRF guard changes that affect the same policy contract used by this PR. (role: adjacent navigation-policy maintainer; confidence: medium; commits: bf1d49093ae3; files: extensions/browser/src/browser/navigation-guard.ts)

Remaining risk / open question:

• I did not run validation commands during this read-only review; the blocker is based on source and PR-head diff inspection.

Codex review notes: model gpt-5.5, reasoning high; reviewed against edddb07f2055.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25340773047
• Updated: 2026-05-04T20:12:41.530Z

[eleqtrizit]

@clawsweeper review

[clawsweeper]

🦞🦞
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.

[eleqtrizit]

Standards check for the latest branch update:

• Scope stayed inside the browser plugin route/helper/test surface: browser routes, route tests, and the control-server harness. No core, SDK, dependency, workflow, manifest, or generated surfaces were changed.
• Rechecked the security contract around tab-scoped read/export routes. The branch uses the existing SSRF navigation-result policy as the execution gate before Playwright data collection, and the snapshot path now uses the same shared route-helper gate instead of carrying a separate inline check.
• Extended the route-level regression matrix so the relevant guarded routes are covered through the HTTP control-server path. The tests assert both the client-visible policy failure and the important security property: the underlying Playwright/data collection mock is not invoked for a disallowed current-tab URL.
• Kept the tests colocated, table-driven, and harness-backed with narrow mocks plus reusable SSRF policy/current-tab URL fixtures, matching the existing browser test style.
• Rechecked formatting and whitespace on the outgoing delta.

Validation on 1a24079089b44e0a6f0a2074763cd35320b0a096:

• corepack pnpm test extensions/browser/src/browser/routes/agent.shared.test.ts extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts extensions/browser/src/browser/routes/agent.snapshot.test.ts — passed, 3 files / 46 tests.
• corepack pnpm exec oxfmt --check --threads=1 extensions/browser/src/browser/routes/agent.snapshot.ts extensions/browser/src/browser/routes/agent.storage.ts extensions/browser/src/browser/server.agent-contract-form-layout-act-commands.test.ts extensions/browser/src/browser/server.control-server.test-harness.ts — passed.
• git diff --check on the outgoing delta — passed.

CI is queued for the pushed SHA.