[simonw]

The most convincing implementation I've seen of this so far is to lock down access to just a single IP address, then run an HTTP proxy server at that IP address which can control what sites can be proxied to.

Then inject HTTP_PROXY and HTTPS_PROXY environment variables so tools running in the sandbox know what to use.

[thomasballinger]

Codex remote environments seem to do this, we had to add support (via two lines of code) for these proxy environment variables to our CLI to support talking to GitHub from these environments.