Skip to content

Fix: Add wildcard support for all Hygraph Studio domains#8

Merged
d-winter merged 2 commits into
mainfrom
fix/wildcard-studio-origins
Mar 4, 2026
Merged

Fix: Add wildcard support for all Hygraph Studio domains#8
d-winter merged 2 commits into
mainfrom
fix/wildcard-studio-origins

Conversation

@d-winter
Copy link
Copy Markdown
Contributor

@d-winter d-winter commented Mar 4, 2026

Problem

The SDK's default allowedOrigins list was too restrictive, containing only:

  • https://app.hygraph.com
  • http://localhost:3000

This caused the SDK to reject postMessage events from Studio instances running on:

  • Regional domains (e.g., https://studio-eu-central-1-shared-euc1-02.hygraph.com)
  • Custom Hygraph deployments
  • Staging/development environments (*.hygraph.dev)
  • Local development on different ports

Users experienced silent failures where the preview integration wouldn't work in the Studio iframe, forcing them to manually configure allowedOrigins or use studioUrl - neither of which should be necessary for iframe mode.

Solution

Updated the default allowedOrigins to use wildcard patterns (already supported by the MessageBridge):

allowedOrigins: [
  'https://*.hygraph.com',      // Matches any Hygraph subdomain
  'https://*.hygraph.dev',      // Matches staging/dev environments
  'http://localhost:*',         // Matches any local port
]

What This Fixes

✅ Works with regional Studio deployments:

  • https://app.hygraph.com
  • https://studio-eu-central-1-shared-euc1-02.hygraph.com
  • https://eu.app.hygraph.com

✅ Works with all Hygraph environments:

  • Production: *.hygraph.com
  • Staging/Dev: *.hygraph.dev

✅ Works with any localhost port:

  • http://localhost:3000
  • http://localhost:4500
  • http://localhost:8080

Technical Details

The wildcard matching logic was already implemented in MessageBridge.ts:155-165. This PR simply updates the default values to leverage that existing functionality.

The pattern https://*.hygraph.com is converted to regex ^https://.*.hygraph.com$ and matches any subdomain.

Security

The allowedOrigins validation remains in place to prevent malicious sites from sending fake postMessage events. The wildcards are scoped to Hygraph-owned domains only.

Breaking Changes

None. This is purely additive and makes the SDK work in more scenarios out of the box.

Testing

  • ✅ Type checking passes
  • ✅ Wildcard pattern verified to match example regional Studio URL
  • ✅ Existing behavior preserved

Type: Bug Fix
Version: Should be patch bump (1.0.31.0.4)

@d-winter
Fix: Add wildcard support for all Hygraph Studio domains
eda6565 
- Update default allowedOrigins to use wildcards (*.hygraph.com, *.hygraph.dev)
- Fixes iframe communication issues with regional Studio domains
- Supports custom Hygraph Studio deployments out of the box
- Adds localhost:* wildcard for flexible local development

This resolves the issue where the SDK would reject postMessage events
from Studio instances running on regional or custom domains, causing
the preview integration to fail silently.
@d-winter d-winter requested a review from a team as a code owner March 4, 2026 11:41
@d-winter d-winter merged commit 7293d6c into main Mar 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d-winter