According to https://docs.docker.com/ai/sandboxes/network-policies/#default-policy, the following two holes are poked in the sandbox by default:
*.anthropic.com
platform.claude.com:443
It is somewhat baffling that a sandbox would come with built-in security holes over which data can be exfiltrated. These should not be enabled by default, and users of Claude should not have their stuff work out of the box while every other provider requires users to manually configure things. If configuring sandbox network policies is hard, then the UX around that should be improved rather than just poking holes in the default sandbox.
It is also unclear why these holes need to be poked, as the policy says it is allow by default so you shouldn't need any explicit allow rules at all.
According to https://docs.docker.com/ai/sandboxes/network-policies/#default-policy, the following two holes are poked in the sandbox by default:
It is somewhat baffling that a sandbox would come with built-in security holes over which data can be exfiltrated. These should not be enabled by default, and users of Claude should not have their stuff work out of the box while every other provider requires users to manually configure things. If configuring sandbox network policies is hard, then the UX around that should be improved rather than just poking holes in the default sandbox.
It is also unclear why these holes need to be poked, as the policy says it is allow by default so you shouldn't need any explicit allow rules at all.