Webpage interaction | Friends of the Crustacean 🦞🤝 | Page 1

olive burrow Apr 16, 2026, 8:09 PM

#

I'm trying to get my claw to open webpages and login e.g reddit.com. It says the browser tool is blocked by a strict SSRF policy requiring IP literal URLs, so I cannot interactively type the credentials. Anyone know how I can get it to work

shrewd copperBOT Apr 16, 2026, 8:09 PM

#

brazen escarpBOT Apr 16, 2026, 8:09 PM

#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

shrewd copperBOT Apr 16, 2026, 8:09 PM

#

brazen pivotBOT Apr 16, 2026, 8:11 PM

#

Let me check the exact browser SSRF docs and config keys so I don't guess. 🦐

#

First, what does openclaw --version show?

For reddit.com, strict SSRF usually is not the site itself, since it’s public. What’s usually blocked is the browser/control path you’re using, especially a cdpUrl on localhost or another private host.

The easiest working setup is:

Use the host browser, not a remote/private CDP profile
Have OpenClaw open the page
Log in manually yourself in that browser profile
Then let the agent continue

Good paths:

Dedicated OpenClaw browser profile
openclaw browser start
openclaw browser open https://reddit.com

#

Your existing signed-in Chrome/Brave session
use the built-in user profile, or an existing-session profile, not raw cdpUrl

If your agent is sandboxed, also enable host browser control:

{
  agents: {
    defaults: {
      sandbox: {
        browser: {
          allowHostControl: true,
        },
      },
    },
  },

#

If you really are attaching to a local/private CDP endpoint, you may need explicit SSRF exceptions, for example localhost / 127.0.0.1, or as a broader opt-in:

{
  browser: {
    ssrfPolicy: {
      dangerouslyAllowPrivateNetwork: true,
    },
  },
}

I’d avoid that unless you actually need private-network browser access.

#

Docs:

If you paste your openclaw --version plus the browser part of your config, I can tell you the exact fix.

olive burrow Apr 16, 2026, 8:16 PM

#

2026.4.10

brazen pivotBOT Apr 16, 2026, 8:17 PM

#

Nice, 2026.4.10 is recent enough, so this probably isn’t a version mismatch.

What I’d check next:

Best setup for Reddit/login flows

If you want “open the page, I log in, then the agent uses that session”, use your normal browser session, not raw CDP:

{
  browser: {
    defaultProfile: "user",
    profiles: {
      user: {
        driver: "existing-session",
        attachOnly: true,
      },

#

    },
  },
}

Then open Chrome/Brave normally and test:

openclaw browser --browser-profile user tabs

If you are using `cdpUrl`

That strict SSRF error is often from the CDP endpoint, not reddit.com.

For local Chrome/Brave CDP attach, people have needed both allowlists plus both loopback names:

#

{
  browser: {
    ssrfPolicy: {
      allowedHostnames: ["localhost", "127.0.0.1"],
      hostnameAllowlist: ["localhost", "127.0.0.1"],
    },
    profiles: {
      local: {
        cdpUrl: "http://127.0.0.1:9222",
        attachOnly: true,
      },
    },
  },
}

#

Important: use either

driver: "existing-session" or
cdpUrl

not both on the same profile.

If the agent is sandboxed

Also add:

{
  agents: {
    defaults: {
      sandbox: {
        browser: {
          allowHostControl: true,

#

        },
      },
    },
  },
}

So my guess is:

if you just want login persistence, switch to user / existing-session
if you insist on local raw CDP, use 127.0.0.1 and add the SSRF exceptions above

Docs:

#Webpage interaction

Best setup for Reddit/login flows

If you are using cdpUrl

If the agent is sandboxed

If you are using `cdpUrl`