Skip to content

[personal-wp] Skip CORS proxy for localhost requests#3199

Merged
adamziel merged 4 commits intotrunkfrom
skip-cors-proxy-for-localhost
Jan 28, 2026
Merged

[personal-wp] Skip CORS proxy for localhost requests#3199
adamziel merged 4 commits intotrunkfrom
skip-cors-proxy-for-localhost

Conversation

@akirk
Copy link
Copy Markdown
Member

@akirk akirk commented Jan 27, 2026
edited
Loading

Motivation for the change, related issues

Enable access to local APIs from WordPress Playground. Previously, localhost requests would be upgraded to HTTPS and could fall through to the CORS proxy retry logic, which would fail since the remote proxy cannot reach the user's localhost.

Implementation details

  • Check for localhost early in fetchWithCorsProxy and return direct fetch immediately
  • Skip HTTP→HTTPS upgrade for localhost (local APIs typically run on HTTP)
  • Skip CORS proxy for localhost requests
  • Fixed tcp-over-fetch-websocket.ts to construct HTTPS URLs (was incorrectly relying on the HTTP→HTTPS upgrade)

Testing Instructions (or ideally a Blueprint)

  1. Run a local API server (e.g., Ollama on port 11434, LM Studio on port 1234, or Beeper on port 23373)
  2. From Playground, make a fetch request to http://localhost:11434/api/...
  3. Verify the request reaches the local server directly via HTTP without being proxied or upgraded to HTTPS

@akirk akirk requested a review from adamziel January 27, 2026 18:45
@akirk akirk force-pushed the skip-cors-proxy-for-localhost branch 2 times, most recently from e6877d3 to a0fbf24 Compare January 27, 2026 19:01
@akirk akirk requested a review from brandonpayton January 27, 2026 19:02
@akirk akirk force-pushed the skip-cors-proxy-for-localhost branch from a0fbf24 to de08482 Compare January 27, 2026 19:13
adamziel
adamziel reviewed Jan 27, 2026
View reviewed changes
packages/php-wasm/web/src/lib/fetch-with-cors-proxy.ts Outdated
* Never proxy localhost requests to known local API ports. The remote proxy
* cannot reach the user's localhost, so we must fetch directly.
*
* Known ports:
Copy link
Copy Markdown
Collaborator

@adamziel adamziel Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Limiting the ports seems weird, proxying localhost makes no sense on any port. Should we guard this based on host only?

Copy link
Copy Markdown
Member Author

@akirk akirk Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I started off on that path but then got discouraged by CI failures where tcp-over-fetch-websocket tests rely on http being upgraded https upgrade. The server is HTTPS but the code constructs http:// URLs. I interpret this an an oversight and updated the websocket tests.

@akirk akirk force-pushed the skip-cors-proxy-for-localhost branch 4 times, most recently from ab5c486 to 70f1258 Compare January 28, 2026 05:53
@akirk
Skip CORS proxy for localhost requests
4c50f54 
Localhost requests now bypass the CORS proxy and are fetched directly.
This enables access to local APIs since the remote proxy cannot reach
the user's localhost.
@akirk akirk force-pushed the skip-cors-proxy-for-localhost branch 3 times, most recently from 5d16249 to 61b034e Compare January 28, 2026 10:05
@akirk
Copy link
Copy Markdown
Member Author

akirk commented Jan 28, 2026

Ok this now snow-balled into having to implement two TLS extensions (ECPointFormatsExtension and RenegotiationInfoExtension) because I wanted to test both codepaths of websocket with and without TLS. Previously the test relied on HTTPS upgrading.

@akirk akirk force-pushed the skip-cors-proxy-for-localhost branch from 61b034e to ea6b246 Compare January 28, 2026 13:15
@akirk
Update tcp-over-fetch-websocket tests and add TLS renegotiation_info …
92480f7 
…extension

- HTTP path tests now use an HTTP server (matching real localhost usage)
- Added TLS path test with proper TLS handshake
- Added renegotiation_info extension support for Node.js TLS compatibility
@akirk akirk force-pushed the skip-cors-proxy-for-localhost branch from ea6b246 to 92480f7 Compare January 28, 2026 13:33
adamziel
adamziel reviewed Jan 28, 2026
View reviewed changes
@akirk
Copy link
Copy Markdown
Member Author

akirk commented Jan 28, 2026

Comments added, ready to merge?

@adamziel adamziel merged commit bda0ed8 into trunk Jan 28, 2026
35 checks passed
@adamziel adamziel deleted the skip-cors-proxy-for-localhost branch January 28, 2026 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamziel adamziel adamziel left review comments

@brandonpayton brandonpayton Awaiting requested review from brandonpayton

Assignees

No one assigned

Labels

[Feature] Personal Playground

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akirk @adamziel