Network Isolation

The security.network node decides whether a session reaches the outside world and, if so, through a domain allow-list or block-list. It is enforced as host firewall rules around the session.

Editor Network Isolation accordion  ·  JSON security.network

Properties

PropertyTypeDefaultNotes
isolated *booleantrue = no external network; false = internet access (subject to the domain lists). Required.
allowedDomainsstring[][]Whitelist used when isolated is false. Supports wildcards.
blockedDomainsstring[][]Blacklist of domains to deny.
allowLoopbackbooleantrueLocalhost / 127.0.0.1 connections. See the override note — this is forced on at runtime.

Editor enforcement modes

The editor hides the raw flags behind a single Enforcement Mode dropdown that writes the underlying JSON:

ModeResulting JSON
Unrestrictedisolated: false, both domain lists empty
Blacklistisolated: false + blockedDomains
Whitelistisolated: false + allowedDomains
Full Isolationisolated: true, both lists empty

The editor always writes allowLoopback: true and does not expose it as a control.

Sample

"network": {
  "isolated": false,
  "allowedDomains": ["*.internal.example.com", "updates.vendor.com"],
  "blockedDomains": [],
  "allowLoopback": true
}
app.config.xml override

isolated, allowedDomains and blockedDomains are policy-driven (enforced by the Session Manager's firewall rules) with no app.config equivalent — policy wins. allowLoopback is forced to true in the session regardless of the policy value, because loopback is required for WebStream's internal communication; a policy false is logged and ignored.