"According to Anthropic's engineering blog, the new network isolation approach only allows Internet access "through a unix domain socket connected to a proxy server running outside the sandbox. ... This proxy server enforces restrictions on the domains that a process can connect to, and handles user confirmation for newly requested domains." Additionally, users can customize the proxy to set their own rules for outgoing traffic."
"Now, it can instead be given permissions for specific file system folders and network servers. That means fewer approval steps, but it's also more secure overall against prompt injection and other risks. For many developers, these additions are more significant than the availability of web or mobile interfaces. They allow Claude Code agents to operate more independently without as many detailed, line-by-line approvals."
"That's more convenient, but it's a double-edged sword, as it will also make code review even more important. One of the strengths of the too-many-approvals approach was that it made sure developers were still looking closely at every little change. Now it might be a little bit easier to miss Claude Code making a bad call. The new features are available in beta now as a research preview, and they are available to Claude users with Pro or Max subscriptions."
Network isolation now permits Internet access only through a unix domain socket connected to a proxy server running outside the sandbox. The proxy enforces domain restrictions and handles user confirmation for newly requested domains. Users can customize the proxy to set rules for outgoing traffic. Agents can be granted permissions for specific file system folders and network servers, reducing approval steps and improving security against prompt injection. The setup allows fetching packages from approved sources while limiting broader communications. Reduced approvals enable more independent agent operation but increase the importance of careful code review. The features are available in beta for Pro and Max subscribers.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]