Claude Cowork 'Allow All Browser Actions' Permission Security Concerns and Proposed Fixes

A user on r/ClaudeAI has raised significant security concerns about the 'Allow all' button in Claude Cowork's browser action permissions. The post describes how repeated permission prompts can lead users to click this button for convenience, but it grants Claude permanent, unrestricted browser access across all future sessions.
The Security Problem
According to the source, once 'Allow all' is clicked, there's 'no visibility, boundaries, expiration or scope limitation.' This turns a UX annoyance into 'an invisible, permanent attack surface for prompt injection and other unpredictable behavior.' The user emphasizes that the scope of this permission is 'impossible for the user to properly gauge, understand and think through' at the moment of clicking.
Proposed Solutions
The post suggests making permissions scoped by default with these specific alternatives:
- Session-scoped (default): Allow all browser actions for this session only. This offers the same convenience but expires automatically, giving users better understanding of the scope.
- Skill-scoped: Browser access only while a specific skill is active. This ties permission to intent rather than providing a blank check. The suggestion includes opening one approval box when a skill asks for permissions so users can determine relevance in the current context.
- Persistent (current behavior): Keep as advanced, last-resort opt-in with a clear warning about what 'all websites, all sessions, no expiration' actually means. The user suggests this should never be allowed.
The post also includes a bonus idea: 'Maintain a list of trusted sites that can be accessed without asking for permission.'
Rationale
The user argues that 'preventing repeated permission clicks is absolutely useful - but user shouldn't have to trade permanent security exposure for basic workflow comfort.' They note that click fatigue creates its own risks as users might 'just allow everything to get rid of those damn requesters.'
📖 Read the full source: r/ClaudeAI
👀 See Also

Anthropic's Claude Desktop App Installs Undisclosed Native Messaging Bridge
Claude Desktop silently installs a preauthorized browser extension that enables native messaging, raising security concerns.

Claude Code source code reportedly leaked via NPM map file
A tweet reports that Claude Code's source code has been leaked through a map file in their NPM registry. The HN discussion has 93 points and 35 comments.

Sieve: Local Secret Scanner for AI Coding Tool Chat Histories
Sieve scans Cursor, Claude Code, Copilot, and other AI coding assistant chat histories for leaked API keys and tokens. All scanning is local, with redaction and macOS Keychain vault.

Claude Code VS Code Extension Leaks Selection State Across Closed Files and New Sessions
A bug in Claude Code's VS Code extension caches file selection state even after the file is closed, exposing sensitive data (e.g., Supabase service-role keys) to a brand new CLI session. Full repro steps and GitHub issue #58886.