Back to Signal Feed
CodeTracked since May 18, 2026

Block `data:` and `blob:` URL bypasses in browser-use domain filtering

The PR fixes a policy bypass in browser-use URL checks by enforcing domain rules for special schemes: when `allowed_domains` or `prohibited_domains` is configured, `data:` URLs are denied and `blob:` URLs are validated against the embedded origin checks so they cannot slip past existing domain allowlist/prohibitlist logic.

allowed_domainsprohibited_domainsURL policydata: URL

What Happened

  • The PR fixes a policy bypass in browser-use URL checks by enforcing domain rules for special schemes: when `allowed_domains` or `prohibited_domains` is configured, `data:` URLs are denied and `blob:` URLs are validated against the embedded origin checks so they cannot slip past existing domain allowlist/prohibitlist logic.
  • The PR fixes a policy bypass in browser-use URL checks by enforcing domain rules for special schemes: when `allowed_domains` or `prohibited_domains` is configured, `data:` URLs are denied and `blob:` URLs are validated against the embedded origin checks so they cannot slip past existing domain allowlist/prohibitlist logic.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Added explicit domain-policy enforcement for restricted sessions to stop special-scheme bypasses: `data:` URLs are now rejected when domain rules are set, and `blob:` URLs are treated as carrying an embedded origin that must satisfy the same domain checks as normal URLs; added regression tests for allowlist/prohibitlist/ unrestricted modes and opaque `blob:` edge cases.

Why Track This

Why It Matters

Operators running browser-use with domain restrictions will stop seeing blocked or prohibited targets reached through `data:` or crafted `blob:` links, so policy-controlled automation stays within governance boundaries instead of silently leaking traffic. The change is implemented by hard-blocking `data:` URLs when either allow/prohibit domain rules are enabled and by resolving `blob:` URLs to their embedded origin before reuse of existing checks; continue monitoring for false positives with legitimate `blob:` URL workflows and for any new scheme-based bypasses as URL parsing paths evolve.

Impact

Operators running browser-use with domain restrictions will stop seeing blocked or prohibited targets reached through `data:` or crafted `blob:` links, so policy-controlled automation stays within governance boundaries instead of silently leaking traffic. The change is implemented by hard-blocking `data:` URLs when either allow/prohibit domain rules are enabled and by resolving `blob:` URLs to their embedded origin before reuse of existing checks; continue monitoring for false positives with legitimate `blob:` URL workflows and for any new scheme-based bypasses as URL parsing paths evolve.

What To Watch Next

  • Watch whether allowed_domains becomes a repeated pattern.
  • Track follow-up changes around AI Agents.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: watch_for_blob_false_positives_in_legit_workflows, monitor_new_special_scheme_bypass_vectors.
Open Topic TimelineOpen Technical EventOpen Original Sourcewatch_for_blob_false_positives_in_legit_workflows / monitor_new_special_scheme_bypass_vectors / verify_domain_rule_behavior_in_unrestricted_sessions

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

browser-use/browser-use PR #4850: fix(security): block special-scheme domain bypasses

Security fix for issue #4763 that blocks special-scheme URL bypasses by denying `data:` URLs under domain policy and making `blob:` URLs inherit and pass embedded-origin validation, with regression coverage for allowlist, prohibitlist, unrestricted sessions, and opaque/internal `blob:` cases.