Network Isolation
The security.network node decides whether a session reaches the outside world and, if so, through a domain allow-list or block-list. It is enforced as host firewall rules around the session.
Editor Network Isolation accordion · JSON
security.networkProperties
| Property | Type | Default | Notes |
|---|---|---|---|
isolated * | boolean | — | true = no external network; false = internet access (subject to the domain lists). Required. |
allowedDomains | string[] | [] | Whitelist used when isolated is false. Supports wildcards. |
blockedDomains | string[] | [] | Blacklist of domains to deny. |
allowLoopback | boolean | true | Localhost / 127.0.0.1 connections. See the override note — this is forced on at runtime. |
Editor enforcement modes
The editor hides the raw flags behind a single Enforcement Mode dropdown that writes the underlying JSON:
| Mode | Resulting JSON |
|---|---|
| Unrestricted | isolated: false, both domain lists empty |
| Blacklist | isolated: false + blockedDomains |
| Whitelist | isolated: false + allowedDomains |
| Full Isolation | isolated: true, both lists empty |
The editor always writes allowLoopback: true and does not expose it as a control.
Sample
"network": {
"isolated": false,
"allowedDomains": ["*.internal.example.com", "updates.vendor.com"],
"blockedDomains": [],
"allowLoopback": true
}
app.config.xml override
isolated, allowedDomains and blockedDomains are policy-driven (enforced by the Session Manager's firewall rules) with no app.config equivalent — policy wins. allowLoopback is forced to true in the session regardless of the policy value, because loopback is required for WebStream's internal communication; a policy false is logged and ignored.