github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-03 03:03:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: secure chrome extension relay cdp

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-01 02:25:14 -08:00
parent e4f7155369
commit a1e89afcc1
6 changed files with 129 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/gateway/security/index.md
View File

@@ -610,6 +610,7 @@ access those accounts and data. Treat browser profiles as **sensitive state**:
- Disable browser sync/password managers in the agent profile if possible (reduces blast radius).
- For remote gateways, assume “browser control” is equivalent to “operator access” to whatever that profile can reach.
- Keep the Gateway and node hosts tailnet-only; avoid exposing relay/control ports to LAN or public Internet.
- The Chrome extension relays CDP endpoint is auth-gated; only OpenClaw clients can connect.
- Disable browser proxy routing when you dont need it (`gateway.nodes.browser.mode="off"`).
- Chrome extension relay mode is **not** “safer”; it can take over your existing Chrome tabs. Assume it can act as you in whatever that tab/profile can reach.

1
docs/tools/chrome-extension.md
View File

@@ -169,6 +169,7 @@ Recommendations:
- Prefer a dedicated Chrome profile (separate from your personal browsing) for extension relay usage.
- Keep the Gateway and any node hosts tailnet-only; rely on Gateway auth + node pairing.
- Avoid exposing relay ports over LAN (`0.0.0.0`) and avoid Funnel (public).
- The relay blocks non-extension origins and requires an internal auth token for CDP clients.
Related: