Flags
Network safety
--block-private-ips and --allow-ip-range filter outbound connections by IP, so a page cannot reach internal hosts. --ip-blocklist seeds that filter from an external threat feed, refreshable on a running server with --server-update-blocklist-interval. The robots.txt pre-fetch honors the same filter.1
--adblock-rules loads EasyList-syntax filter lists to cancel matching requests and hide matching page elements, refreshable on a running server with --server-update-adblock-interval. It only ever cancels a request, so it cannot override the IP filter or bypass robots.txt.
The
robots.txtfetch connects only to the IP it validated. Page navigation is filtered as well, but Chromium resolves DNS itself when connecting, leaving a narrow rebinding window zshot cannot close. For hard isolation against actively malicious input, pair the IP filter with network-level egress controls. ↩︎