Browser SSRF hostname navigation restored

OpenClaw 2026.4.10 introduced a change to browser SSRF policy enforcement that inadvertently blocked normal browser navigation when no explicit SSRF configuration was present. Browser tool requests to public hostnames began failing with "strict browser SSRF policy requires an IP-literal URL" — even though users hadn't configured any SSRF restrictions.

The root cause was a heuristic that inferred strict mode from browser accessibility, rather than from explicit configuration. This caused hostname-based navigation to be rejected by default. The same issue affected managed browser profiles attempting to reach their own CDP endpoints on loopback.

The fix separates default behavior from explicit strict mode. Hostname navigation now works when no SSRF policy is configured, while strict hostname blocking and redirect-hop inspection remain available for deployments that explicitly configure them. Additionally, managed loopback CDP fallback requests now use the local CDP control policy instead of the potentially restrictive SSRF policy, preventing the browser from blocking its own control channel.

These changes restore the pre-2026.4.10 behavior for most users while preserving the stricter options for security-sensitive environments.