chore(cors): broaden local origin matching for dev environments#4012
Open
IamCoder18 wants to merge 1 commit into
Open
chore(cors): broaden local origin matching for dev environments#4012IamCoder18 wants to merge 1 commit into
IamCoder18 wants to merge 1 commit into
Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Contributor
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Executive SummaryBoth previously flagged regex hoisting issues are resolved; Previously Flagged Issues (now resolved)
Files Reviewed (2 files)
Reviewed by claude-4.6-sonnet-20260217 · 245,888 tokens Review guidance: REVIEW.md from base branch |
The previous localhost-only prefix check caused CORS failures when developers accessed the dev server via LAN IP (10.x, 172.16-31.x, 192.168.x), loopback (127.x), or IPv6 link-local/ULA addresses. This was common when using mobile devices on the same LAN for testing or when tunneling into the dev environment. Both gastown and wasteland were updated to use the same regex so they stay in sync. ## Summary - services/gastown/src/gastown.worker.ts - services/wasteland/src/wasteland.worker.ts
IamCoder18
force-pushed
the
feat/cors-broaden-local-ip-pattern
branch
from
8eaa298 to
9c7074d
Compare
Contributor
Author
|
Ready to review! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The dev-environment CORS origin check in both services previously used
origin.startsWith('http://localhost:'), which rejects every other loopback/LAN address even though they are still local-only traffic. That meant requests fromhttp://192.168.x.x,http://10.x.x.x,http://127.0.0.1, and similar local addresses all failed with standard CORS preflight errors in the browser console.Closes #4011
The fix replaces the single prefix check with a regex that matches:
localhost127.x.x.x10.x.x.x,172.16-31.x.x,192.168.x.x::1,fd00::/8ULA,fe80::/10link-localAll with optional ports and case-insensitive scheme matching.
Files changed:
services/gastown/src/gastown.worker.tsservices/wasteland/src/wasteland.worker.tsVerification
http://192.168.x.xorigins are accepted in dev.Visual Changes
N/A
Reviewer Notes
This regex is consistent between gastown and wasteland so the two services don't drift on what counts as "local". If we ever want to additionally allow
host.docker.internalor.localmDNS names, that belongs in a follow-up change.