docs: clarify browser allowlist defaults and risks

2026-01-11 01:55:38 +01:00
parent a32021dc3e
commit fe46a2663b
3 changed files with 11 additions and 0 deletions
--- a/docs/tools/browser.md
+++ b/docs/tools/browser.md
@@ -245,5 +245,6 @@ How it maps:
  - In sandboxed sessions, `target: "host"` requires `agents.defaults.sandbox.browser.allowHostControl=true`.
  - If `target` is omitted: sandboxed sessions default to `sandbox`, non-sandbox sessions default to `host`.
  - Sandbox allowlists can restrict `target: "custom"` to specific URLs/hosts/ports.
+  - Defaults: allowlists unset (no restriction), and sandbox host control is disabled.

 This keeps the agent deterministic and avoids brittle selectors.