github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 05:07:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(security): clarify canvas host exposure and auth

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 14:55:10 +01:00
parent 8025e7c6c2
commit 6a386a7886
13 changed files with 35 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/gateway/security/index.md
View File

@@ -347,6 +347,16 @@ The Gateway multiplexes **WebSocket + HTTP** on a single port:
- Default: `18789`
- Config/flags/env: `gateway.port`, `--port`, `OPENCLAW_GATEWAY_PORT`
This HTTP surface includes the Control UI and the canvas host:
- Control UI (SPA assets) (default base path `/`)
- Canvas host: `/__openclaw__/canvas/` and `/__openclaw__/a2ui/` (arbitrary HTML/JS; treat as untrusted content)
If you load canvas content in a normal browser, treat it like any other untrusted web page:
- Don't expose the canvas host to untrusted networks/users.
- Don't make canvas content share the same origin as privileged web surfaces unless you fully understand the implications.
Bind mode controls where the Gateway listens:
- `gateway.bind: "loopback"` (default): only local clients can connect.