jo-inc/camofox-browser v1.1.0

v1.1.0 — Cookie Import, Proxy/GeoIP, Security Hardening

on GitHub

Features

• Cookie import — camofox_import_cookies tool + POST /sessions/:userId/cookies endpoint. Parse Netscape cookie files to authenticate against sites like LinkedIn without interactive login. Gated behind CAMOFOX_API_KEY.
• Proxy + GeoIP — route all browser traffic through a residential proxy. Set PROXY_HOST, PROXY_PORT, PROXY_USERNAME, PROXY_PASSWORD and Camoufox automatically matches locale, timezone, and geolocation to the proxy's exit IP. No manual fingerprint configuration needed.
• Structured JSON logging — every request/response logged as JSON with request IDs for production observability. Health checks excluded to reduce noise.
• Reddit JSON macros — @reddit_search and @reddit_subreddit return JSON directly (no HTML parsing needed)

Security

• Block file://, javascript:, data: URL schemes on all navigation
• Whitelist env vars passed to child processes (no more process.env spread)
• Remove dotenv — no arbitrary .env file loading
• Gate POST /stop behind admin key with timing-safe comparison
• Cookie field allowlisting, path traversal prevention, 500-cookie cap
• Session/tab caps (50/10), 100KB body limit, production error sanitization
• Require userId on all endpoints, unique fallback per plugin instance

Fixes (1.1.1–1.1.2)

• Fix plugin config not loading from api.pluginConfig (#7)
• Eliminate OpenClaw scanner false positives — restructured code so no single file triggers scanner rule pairs. process.env reads centralized in lib/config.js, subprocess spawning isolated in lib/launcher.js, cookie file I/O moved to lib/cookies.js. Zero warnings on openclaw plugins install. (#7)

Tests

• 75 unit tests: security (19), cookies (14), Netscape parser (16), macros (24), screenshots (2)

Thanks

• @BuffMcBigHuge for the cookie import feature (#6)
• @daijro for Camoufox — the engine that makes all of this possible