Hermes Desktop remote mode rejects Electron WebSocket origins on non-loopback dashboard binds

[leonardsellem]

Bug

Hermes Desktop remote mode can report the remote backend as ready, then fail during renderer boot with:

Could not connect to Hermes gateway

This happens when the dashboard is exposed on an explicit non-loopback address, for example a Tailscale/LAN bind such as --host 100.64.x.y --insecure --tui.

Root cause

There are two related gaps in the remote path:

1. Desktop remote readiness checks /api/status, which is public. That can pass even when the saved dashboard session token is stale or unusable for the protected endpoints and WebSocket path the renderer actually needs.
2. When the packaged Electron renderer opens /api/ws, Chromium sends a non-web WebSocket Origin such as file:// or null. _ws_host_origin_is_allowed() currently allows those non-web origins only for loopback binds. For an explicit non-loopback bind, the token is accepted first, but the WebSocket is then rejected by the Host/Origin guard.

The result is a confusing split-brain state: desktop.log says Remote Hermes backend is ready, but the UI shows the boot failure overlay.

Reproduction

1. Run a dashboard on a Tailscale/LAN address:

   hermes dashboard --host 100.64.0.10 --port 9119 --insecure --no-open --tui

2. Configure Hermes Desktop remote mode to http://100.64.0.10:9119 with the injected dashboard session token.

3. Start Hermes Desktop.

Expected: the desktop renderer connects to ws://100.64.0.10:9119/api/ws?token=... and boots.

Actual: /api/status passes, then gateway.connect() fails because the WebSocket upgrade is rejected when Electron sends Origin: file:// or Origin: null.

Security expectation

The fix should not relax normal browser DNS-rebinding protection:

• Matching http(s) origins should continue to be required for web origins.
• Mismatched web origins such as http://localhost:9119 against a Tailscale host should still be rejected.
• OAuth-gated public dashboards should keep rejecting non-web origins.
• The non-web origin allowance should only apply to the legacy token-authenticated remote desktop/dashboard path, after token auth has already succeeded.

Related local evidence

On a Tailscale-bound dashboard, a direct WebSocket test reproduced the exact split:

• no Origin: open
• Origin: http://<tailscale-host>:9119: open
• Origin: file://: rejected before fix
• Origin: null: rejected before fix
• mismatched Origin: http://localhost:9119: rejected as expected

[DogaOztuzun]

+1 independent reproduction — Ubuntu / Tailscale / Docker

Second independent reproduction, same regression as OP.

Setup

• Hermes Agent: v0.15.1 (v2026.5.29.2) running inside Docker (nousresearch/hermes-agent:latest)
• Server: Ubuntu 24.04 container, dashboard invoked with --host 0.0.0.0 --insecure
• Docker port map: ${TAILSCALE_IP}:9119:9119 (bound to Tailscale IP only — not public internet)
• Client: Hermes Desktop v0.15.1 on a separate Ubuntu host on the same tailnet, Settings → Gateway → Remote Gateway → http://server:9119

Observed symptoms

• /api/status returns 200 with gateway_state: running — main process logs Remote Hermes backend is ready
• Desktop renderer immediately loops resetBootstrap() ~50×/sec
• UI message: Could not connect to Hermes gateway
• Desktop log shows Remote Hermes backend is ready → reset requested by renderer repeating forever

Confirmed the server-side WS endpoint rejects Origin: file:// and Origin: null with 403 Forbidden on the Tailscale-bound interface, before any token validation happens. The /api/ws upgrade fails even with a valid session token.

Worked in v0.13.x. Regressed somewhere in the v0.15.0 window.

Cross-links

• [Bug]: dashboard --tui: WebSocket rejected for non-loopback clients even with --insecure / --host 0.0.0.0 #33265 — companion IP-gate issue (still open, orthogonal to this Origin-gate fix). Affects --host 0.0.0.0 binds; the Origin-gate and IP-gate regressions should ideally land together.
• fix(dashboard): allow chat websockets on insecure public bind (salvage #33278) #35141 (merged via PR fix(dashboard): allow chat websockets on insecure public bind (salvage #33278) #35141) — earlier IP-gate fix that left the Origin gate untouched; explains why this regression survived.
• fix(dashboard): allow desktop websocket origins on remote binds #37405 — proposed fix LGTM; independently verified on my live server with curl -i against the patched container.

👍 on the proposed fix; please merge.

[yazan1991]

Adding a field confirmation from a real Tailnet deployment.

Environment shape:

• Hermes dashboard stays bound to loopback: 127.0.0.1:9119
• Tailscale Serve exposes a tailnet-only TCP/HTTP route to a macOS Hermes Desktop client
• Desktop remote REST readiness succeeds (/api/status returns 200), then renderer boot fails on the live gateway WebSocket

Observed behavior:

• desktop.log reports Remote Hermes backend is ready
• Direct remote WebSocket smoke to /api/ws?token=<redacted> was rejected before the workaround
• An SSH loopback tunnel from macOS (-L local:127.0.0.1:9119) makes Desktop work, which strongly suggests the backend/renderer path is healthy and the failure is in the non-loopback remote WebSocket auth/origin boundary

Temporary workaround that works without patching Hermes source:

• Put an nginx reverse proxy on the server bound to 127.0.0.1:<proxy-port>
• Proxy to http://127.0.0.1:9119
• Preserve WebSocket upgrade headers
• Rewrite Host to 127.0.0.1:9119
• Clear Origin
• Expose that proxy through Tailscale Serve on a separate tailnet-only port

After that, both of these pass:

• GET /api/status over the tailnet route => 200
• ws://<tailnet-ip>:<port>/api/ws?token=<redacted> => WebSocket connected

This matches the issue diagnosis: Desktop's remote readiness check can pass while the actual renderer WebSocket fails. The loopback-style proxy is only a local operational workaround until the upstream fix lands.