Skip to content

feat(cors): Add CORS policy check and response to browsers. #450

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat(cors): Add CORS policy check and response to browsers. #450

wants to merge 8 commits into from

Conversation

AOrazaev
Copy link

No description provided.

AOrazaev
AOrazaev commented May 20, 2025
View reviewed changes
AOrazaev
AOrazaev commented May 20, 2025
View reviewed changes
AOrazaev
AOrazaev commented May 20, 2025
View reviewed changes
AOrazaev
AOrazaev commented May 20, 2025
View reviewed changes
@AOrazaev
Copy link
Author

@microsoft-github-policy-service agree

@AOrazaev AOrazaev force-pushed the orazaev/cors_support branch from b21f59d to 770eae1 Compare May 20, 2025 01:24
pavelfeldman
pavelfeldman reviewed May 20, 2025
View reviewed changes
config.d.ts Outdated
/**
* Origins to allow by CORS policy. Can be regex.
*/
corsAllowOrigins?: RegExp[];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rather belongs to the 'server' section.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion. Moved to the server.

src/transport.ts Outdated
if (origin === undefined)
return false;

if (config.network.corsAllowOrigins.some(re => re.test(origin))) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is your use case? This exposes universal access to the host machine to the client, including full access to the fs.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a browser based "agent prototype" which connects to the localhost playwright-mcp. By default browsers will not allow connection because of CORS policies. So for now user starts playwright-mcp on his machine, adds "agent url" to allowed origins and then connection can be made.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@pavelfeldman pavelfeldman pavelfeldman left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AOrazaev @pavelfeldman