Skip to content

fix(browse): replace wildcard CORS with localhost origin on sidebar endpoints#724

Open
garagon wants to merge 1 commit intogarrytan:mainfrom
garagon:fix/sidebar-cors-wildcard
Open

fix(browse): replace wildcard CORS with localhost origin on sidebar endpoints#724
garagon wants to merge 1 commit intogarrytan:mainfrom
garagon:fix/sidebar-cors-wildcard

Conversation

@garagon
Copy link
Copy Markdown
Contributor

@garagon garagon commented Mar 31, 2026

Summary

Sidebar endpoints (/sidebar-tabs, /sidebar-tabs/switch, /sidebar-chat) respond with Access-Control-Allow-Origin: *. This allows any cross-origin website to read chat history, tab data, and agent status from the local browse server via fetch().

Replace with http://127.0.0.1:{port} so only same-origin requests from the extension are accepted.

What changed

4 occurrences of wildcard CORS replaced with the actual localhost origin in browse/src/server.ts.

4 regression tests added to browse/test/server-auth.test.ts:

  • /sidebar-tabs has no wildcard CORS
  • /sidebar-tabs/switch has no wildcard CORS
  • /sidebar-chat has no wildcard CORS
  • No wildcard CORS anywhere in server source

Test results

10/10 server-auth tests pass (6 existing + 4 new).

@garagon
fix(browse): replace wildcard CORS with localhost origin on sidebar e…
c8a1ea9 
…ndpoints

Sidebar endpoints (/sidebar-tabs, /sidebar-tabs/switch, /sidebar-chat)
responded with Access-Control-Allow-Origin: * which allows any cross-origin
site to read chat history, tab data, and agent status from the local server.

Replace with the actual localhost origin so only same-origin requests
from the extension are accepted. Add regression tests for all sidebar
endpoints.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garagon