Localhost sidekick
A tiny daemon that lets the Linux Sandbox make real outbound network requests from inside your browser — bypassing the CORS limits of the default fetch-based path.
1. Install
Paste this into a terminal. It downloads a single ~11 MB binary to ~/.local/bin/c2w-net.
curl -fsSL https://webdev.pro/sandbox-sidekick/install.sh | sh 2. Run
Start the daemon and leave the terminal open. It listens on
ws://localhost:8888; the sandbox tab connects to it.
~/.local/bin/c2w-net -listen-ws :8888 3. Switch the sandbox to sidekick mode
Open the Linux Sandbox and pick Localhost sidekick in the network-mode toggle. Boot the shell and run curl https://example.com — it'll actually return HTML.
Behind a corporate SSL-inspection proxy?
Zscaler, Netskope, Palo Alto SSL Decrypt and friends all intercept HTTPS and re-sign with a corp root CA. Your host trusts that CA; the sandbox's fresh Alpine image doesn't, so curl https://github.com in sidekick mode fails with self-signed certificate in certificate chain. The fix is to hand the sandbox your corp CA bundle.
The sandbox can reach your host's loopback at 192.168.127.254 (gvisor-tap-vsock convention) — so serve the bundle locally from a third terminal:
# macOS — dump every cert in your admin keychain (includes corp roots)
security find-certificate -a -p > /tmp/ca-bundle.pem
cd /tmp && python3 -m http.server 8889 --bind 127.0.0.1 # Linux Debian/Ubuntu (or /etc/pki/... on Fedora/RHEL)
cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-bundle.pem
cd /tmp && python3 -m http.server 8889 --bind 127.0.0.1 Then in the booted sandbox (sidekick mode), pull the bundle and point TLS clients at it:
curl http://192.168.127.254:8889/ca-bundle.pem -o /tmp/ca-bundle.pem
export SSL_CERT_FILE=/tmp/ca-bundle.pem
export GIT_SSL_CAINFO=/tmp/ca-bundle.pem
# curl, wget, git now use the corp-trusted bundle
Other runtimes need their own var: Node looks for NODE_EXTRA_CA_CERTS, Python's requests reads REQUESTS_CA_BUNDLE, Go honors SSL_CERT_FILE. If 192.168.127.254 doesn't resolve, run ip route | grep default inside the sandbox — your gateway is the host. Don't ship a corp CA outside your machine.
What does this thing do, exactly?
The sandbox runs an emulated Linux kernel inside a WebAssembly VM in your tab. To do networking it has to hand outbound frames somewhere. In the default mode they're routed through the browser's fetch(), which is bound by same-origin and CORS — so most public sites refuse to respond.
The sidekick (c2w-net, from the container2wasm project, pinned to v0.8.4) is a Go daemon that listens on a WebSocket. The sandbox tab pipes raw Ethernet frames through that WebSocket; the daemon uses gvisor's userspace TCP/IP stack to make real outbound connections from your machine. No CORS, full internet.
Nothing in this binary phones home, talks to webdev.pro, or sees what you do beyond the bytes you send through the WebSocket. The source is at container2wasm/cmd/c2w-net.