亿
亿牛云
登录免费注册
Blog/Technical Guide

Nanobrowser Security (Part 2): Behavior Sandbox and Permission Control

When input filtering fails — and it will — a behavior sandbox limits what the agent can do even when compromised. Read-only mode, domain whitelist, operation downgrade.

16Yun Engineering TeamApr 26, 20261 min read

Input Filtering Isn't Enough

The previous article covered context isolation and input filtering as the first two defense layers. But attackers can keep trying new variants. Eventually one bypasses the regex.

That's when the behavior sandbox kicks in — limiting what the agent can do even when compromised.

Read-Only Mode

For read-only tasks (information extraction, content scraping), lock to read-only:

class ReadOnlySandbox:
    async def execute(self, page, task):
        blocked = [
            "Input.dispatchKeyEvent",
            "Input.dispatchMouseEvent",
            "Network.setCookie",
            "DOM.setFileInputFiles",
        ]
        async with self.cdp_monitor(page, blocked_funcs=blocked):
            return await self.extract_content(page, task)

Domain Whitelist

class DomainWhitelist:
    def check(self, url):
        domain = urlparse(url).netloc
        if self.mode == "allow_list":
            if not any(d in domain for d in self.allowed_domains):
                raise DomainBlockedError(f"{domain} not allowed")
        return True

Operation Privilege Levels

class PrivilegeManager:
    def __init__(self):
        self.operations = {
            "page.navigate": PrivilegeLevel.NORMAL,
            "form.submit": PrivilegeLevel.SENSITIVE,
            "payment.execute": PrivilegeLevel.CRITICAL,
        }
 
    async def check(self, operation, context):
        level = self.operations.get(operation, PrivilegeLevel.SENSITIVE)
        if level == PrivilegeLevel.CRITICAL:
            screenshot = await context.page.screenshot()
            confirmed = await request_human_confirmation(operation, screenshot)
            if not confirmed:
                raise OperationBlockedError(operation)
        return True

Layered Defense

加载图表中...

Default-Off Principle

Following Browy's security model:

  • Domain whitelist empty by default — agent can't access any site initially
  • Write operations sensitive by default — ask user confirmation on first write
  • File access off by default — agent can't read/write local files
  • Shell execution off by default — agent can't run shell commands

Need an enterprise proxy plan?

We can tailor architecture to your target domains, concurrency, and reliability goals.

Book a consultationView pricing