fix(security): harden sandbox browser network defaults

src/agents/sandbox/browser.ts

@@ -38,6 +38,7 @@ import { isToolAllowed } from "./tool-policy.js";
 import type { SandboxBrowserContext, SandboxConfig } from "./types.js";
 
 const HOT_BROWSER_WINDOW_MS = 5 * 60 * 1000;
+const CDP_SOURCE_RANGE_ENV_KEY = "OPENCLAW_BROWSER_CDP_SOURCE_RANGE";
 
 async function waitForSandboxCdp(params: { cdpPort: number; timeoutMs: number }): Promise<boolean> {
   const deadline = Date.now() + Math.max(0, params.timeoutMs);
@@ -106,6 +107,23 @@ async function ensureSandboxBrowserImage(image: string) {
   );
 }
 
+async function ensureDockerNetwork(network: string) {
+  const normalized = network.trim().toLowerCase();
+  if (
+    !normalized ||
+    normalized === "bridge" ||
+    normalized === "none" ||
+    normalized.startsWith("container:")
+  ) {
+    return;
+  }
+  const inspect = await execDocker(["network", "inspect", network], { allowFailure: true });
+  if (inspect.code === 0) {
+    return;
+  }
+  await execDocker(["network", "create", "--driver", "bridge", network]);
+}
+
 export async function ensureSandboxBrowser(params: {
   scopeKey: string;
   workspaceDir: string;
@@ -126,6 +144,7 @@ export async function ensureSandboxBrowser(params: {
   const containerName = name.slice(0, 63);
   const state = await dockerContainerState(containerName);
   const browserImage = params.cfg.browser.image ?? DEFAULT_SANDBOX_BROWSER_IMAGE;
+  const cdpSourceRange = params.cfg.browser.cdpSourceRange?.trim() || undefined;
   const browserDockerCfg = resolveSandboxBrowserDockerCreateConfig({
     docker: params.cfg.docker,
     browser: { ...params.cfg.browser, image: browserImage },
@@ -138,6 +157,7 @@ export async function ensureSandboxBrowser(params: {
       noVncPort: params.cfg.browser.noVncPort,
       headless: params.cfg.browser.headless,
       enableNoVnc: params.cfg.browser.enableNoVnc,
+      cdpSourceRange,
     },
     securityEpoch: SANDBOX_BROWSER_SECURITY_HASH_EPOCH,
     workspaceAccess: params.cfg.workspaceAccess,
@@ -196,6 +216,7 @@ export async function ensureSandboxBrowser(params: {
     if (noVncEnabled) {
       noVncPassword = generateNoVncPassword();
     }
+    await ensureDockerNetwork(browserDockerCfg.network);
     await ensureSandboxBrowserImage(browserImage);
     const args = buildSandboxCreateArgs({
       name: containerName,
@@ -226,6 +247,9 @@ export async function ensureSandboxBrowser(params: {
     args.push("-e", `OPENCLAW_BROWSER_HEADLESS=${params.cfg.browser.headless ? "1" : "0"}`);
     args.push("-e", `OPENCLAW_BROWSER_ENABLE_NOVNC=${params.cfg.browser.enableNoVnc ? "1" : "0"}`);
     args.push("-e", `OPENCLAW_BROWSER_CDP_PORT=${params.cfg.browser.cdpPort}`);
+    if (cdpSourceRange) {
+      args.push("-e", `${CDP_SOURCE_RANGE_ENV_KEY}=${cdpSourceRange}`);
+    }
     args.push("-e", `OPENCLAW_BROWSER_VNC_PORT=${params.cfg.browser.vncPort}`);
     args.push("-e", `OPENCLAW_BROWSER_NOVNC_PORT=${params.cfg.browser.noVncPort}`);
     if (noVncEnabled && noVncPassword) {

src/agents/sandbox/config-hash.test.ts

@@ -110,6 +110,7 @@ describe("computeSandboxBrowserConfigHash", () => {
     const shared = {
       browser: {
         cdpPort: 9222,
+        cdpSourceRange: undefined,
         vncPort: 5900,
         noVncPort: 6080,
         headless: false,
@@ -140,6 +141,7 @@ describe("computeSandboxBrowserConfigHash", () => {
       docker: createDockerConfig(),
       browser: {
         cdpPort: 9222,
+        cdpSourceRange: undefined,
         vncPort: 5900,
         noVncPort: 6080,
         headless: false,
@@ -159,4 +161,30 @@ describe("computeSandboxBrowserConfigHash", () => {
     });
     expect(left).not.toBe(right);
   });
+
+  it("changes when cdp source range changes", () => {
+    const shared = {
+      docker: createDockerConfig(),
+      browser: {
+        cdpPort: 9222,
+        vncPort: 5900,
+        noVncPort: 6080,
+        headless: false,
+        enableNoVnc: true,
+      },
+      securityEpoch: "epoch-v1",
+      workspaceAccess: "rw" as const,
+      workspaceDir: "/tmp/workspace",
+      agentWorkspaceDir: "/tmp/workspace",
+    };
+    const left = computeSandboxBrowserConfigHash({
+      ...shared,
+      browser: { ...shared.browser, cdpSourceRange: "172.21.0.1/32" },
+    });
+    const right = computeSandboxBrowserConfigHash({
+      ...shared,
+      browser: { ...shared.browser, cdpSourceRange: "172.22.0.1/32" },
+    });
+    expect(left).not.toBe(right);
+  });
 });

src/agents/sandbox/config-hash.ts

@@ -12,7 +12,7 @@ type SandboxBrowserHashInput = {
   docker: SandboxDockerConfig;
   browser: Pick<
     SandboxBrowserConfig,
-    "cdpPort" | "vncPort" | "noVncPort" | "headless" | "enableNoVnc"
+    "cdpPort" | "cdpSourceRange" | "vncPort" | "noVncPort" | "headless" | "enableNoVnc"
   >;
   securityEpoch: string;
   workspaceAccess: SandboxWorkspaceAccess;

src/agents/sandbox/config.ts

@@ -4,6 +4,7 @@ import {
   DEFAULT_SANDBOX_BROWSER_AUTOSTART_TIMEOUT_MS,
   DEFAULT_SANDBOX_BROWSER_CDP_PORT,
   DEFAULT_SANDBOX_BROWSER_IMAGE,
+  DEFAULT_SANDBOX_BROWSER_NETWORK,
   DEFAULT_SANDBOX_BROWSER_NOVNC_PORT,
   DEFAULT_SANDBOX_BROWSER_PREFIX,
   DEFAULT_SANDBOX_BROWSER_VNC_PORT,
@@ -27,10 +28,11 @@ export function resolveSandboxBrowserDockerCreateConfig(params: {
   docker: SandboxDockerConfig;
   browser: SandboxBrowserConfig;
 }): SandboxDockerConfig {
+  const browserNetwork = params.browser.network.trim();
   const base: SandboxDockerConfig = {
     ...params.docker,
     // Browser container needs network access for Chrome, downloads, etc.
-    network: "bridge",
+    network: browserNetwork || DEFAULT_SANDBOX_BROWSER_NETWORK,
     // For hashing and consistency, treat browser image as the docker image even though we
     // pass it separately as the final `docker create` argument.
     image: params.browser.image,
@@ -113,7 +115,9 @@ export function resolveSandboxBrowserConfig(params: {
       agentBrowser?.containerPrefix ??
       globalBrowser?.containerPrefix ??
       DEFAULT_SANDBOX_BROWSER_PREFIX,
+    network: agentBrowser?.network ?? globalBrowser?.network ?? DEFAULT_SANDBOX_BROWSER_NETWORK,
     cdpPort: agentBrowser?.cdpPort ?? globalBrowser?.cdpPort ?? DEFAULT_SANDBOX_BROWSER_CDP_PORT,
+    cdpSourceRange: agentBrowser?.cdpSourceRange ?? globalBrowser?.cdpSourceRange,
     vncPort: agentBrowser?.vncPort ?? globalBrowser?.vncPort ?? DEFAULT_SANDBOX_BROWSER_VNC_PORT,
     noVncPort:
       agentBrowser?.noVncPort ?? globalBrowser?.noVncPort ?? DEFAULT_SANDBOX_BROWSER_NOVNC_PORT,

src/agents/sandbox/constants.ts

@@ -41,6 +41,7 @@ export const DEFAULT_SANDBOX_COMMON_IMAGE = "openclaw-sandbox-common:bookworm-sl
 export const SANDBOX_BROWSER_SECURITY_HASH_EPOCH = "2026-02-21-novnc-auth-default";
 
 export const DEFAULT_SANDBOX_BROWSER_PREFIX = "openclaw-sbx-browser-";
+export const DEFAULT_SANDBOX_BROWSER_NETWORK = "openclaw-sandbox-browser";
 export const DEFAULT_SANDBOX_BROWSER_CDP_PORT = 9222;
 export const DEFAULT_SANDBOX_BROWSER_VNC_PORT = 5900;
 export const DEFAULT_SANDBOX_BROWSER_NOVNC_PORT = 6080;

src/agents/sandbox/docker.config-hash-recreate.test.ts

@@ -106,6 +106,7 @@ function createSandboxConfig(dns: string[]): SandboxConfig {
       enabled: false,
       image: "openclaw-browser:test",
       containerPrefix: "oc-browser-",
+      network: "openclaw-sandbox-browser",
       cdpPort: 9222,
       vncPort: 5900,
       noVncPort: 6080,

src/agents/sandbox/types.ts

@@ -32,7 +32,9 @@ export type SandboxBrowserConfig = {
   enabled: boolean;
   image: string;
   containerPrefix: string;
+  network: string;
   cdpPort: number;
+  cdpSourceRange?: string;
   vncPort: number;
   noVncPort: number;
   headless: boolean;