fix(security): harden browser SSRF defaults and migrate legacy key

2026-05-03 21:54:38 +00:00 · 2026-02-24 01:51:44 +00:00
parent 8779b523dc
commit 5eb72ab769
24 changed files with 334 additions and 20 deletions
--- a/src/config/types.browser.ts
+++ b/src/config/types.browser.ts
@@ -13,8 +13,10 @@ export type BrowserSnapshotDefaults = {
  mode?: "efficient";
 };
 export type BrowserSsrFPolicyConfig = {
-  /** If true, permit browser navigation to private/internal networks. Default: false */
+  /** Legacy alias for private-network access. Prefer dangerouslyAllowPrivateNetwork. */
  allowPrivateNetwork?: boolean;
+  /** If true, permit browser navigation to private/internal networks. Default: true */
+  dangerouslyAllowPrivateNetwork?: boolean;
  /**
   * Explicitly allowed hostnames (exact-match), including blocked names like localhost.
   * Example: ["localhost", "metadata.internal"]