Skip to content

feat(sidecar): Add --allowed-origin CLI option for custom CORS origins #1176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BYK merged 4 commits into from
Dec 3, 2025
Merged

feat(sidecar): Add --allowed-origin CLI option for custom CORS origins #1176

BYK merged 4 commits into from
Dec 3, 2025

Conversation

@BYK
Copy link
Member

@BYK BYK commented Dec 3, 2025
edited
Loading

Add allowedOrigins option to CLI and setupSidecar API for configuring
additional CORS origins beyond the built-in defaults (localhost, machine
IPs, spotlightjs.com). This addresses use cases like custom local domains,
tunneling services (ngrok, localtunnel), Docker containers, and LAN access.

The option supports two matching modes: full origins (e.g., https://ngrok.io:443)
for strict matching, and plain domains (e.g., myapp.local) to allow any
protocol/port combination. Multiple origins can be specified via repeatable
flags or comma-separated values.

Fixes #1171

@BYK
feat(sidecar): Add --allowed-origin CLI option for custom CORS origins
1a7bc46 
Add allowedOrigins option to CLI and setupSidecar API for configuring
additional CORS origins beyond the built-in defaults (localhost, machine
IPs, spotlightjs.com). This addresses use cases like custom local domains,
tunneling services (ngrok, localtunnel), Docker containers, and LAN access.

The option supports two matching modes: full origins (e.g., https://ngrok.io:443)
for strict matching, and plain domains (e.g., myapp.local) to allow any
protocol/port combination. Multiple origins can be specified via repeatable
flags or comma-separated values.

Fixes #1171
@BYK BYK deployed to Preview December 3, 2025 03:15 — with GitHub Actions Active
@vercel
Copy link

vercel bot commented Dec 3, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
spotlightjs Skipped Skipped Dec 3, 2025 3:42am

@BYK BYK deployed to Preview December 3, 2025 03:30 — with GitHub Actions Active
@BYK BYK deployed to Preview December 3, 2025 03:42 — with GitHub Actions Active
@BYK BYK marked this pull request as ready for review December 3, 2025 03:47
@BYK BYK merged commit 75a1848 into main Dec 3, 2025
20 checks passed
@BYK BYK deleted the byk/feat/cors-allow-list branch December 3, 2025 03:58
@sentry-release-bot sentry-release-bot bot mentioned this pull request Dec 3, 2025
Merged
BYK pushed a commit that referenced this pull request Dec 3, 2025
@sentry-release-bot @github-actions
meta(changelog): Update package versions (#1177)
1420e48 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and publish to npm
yourself or [setup this action to publish
automatically](https://github.com/changesets/action#with-publishing). If
you're not ready to do a release yet, that's fine, whenever you add more
changesets to main, this PR will be updated.


# Releases
## @spotlightjs/spotlight@4.7.0

### Minor Changes

- Add `--allowed-origin` / `-A` CLI option and `allowedOrigins` API
option for configuring additional CORS origins. Supports both full
origins (e.g., `https://ngrok.io:443`) for strict matching and plain
domains (e.g., `myapp.local`) for permissive matching. Fixes
[#1171](#1171).
([#1176](#1176))

### Patch Changes

- Restore draggable electron app and recover semaphore buttons
([#1173](#1173))

- Allow any DNS pointing to localhost in CORS
([#1175](#1175))

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@gajus
Copy link

gajus commented Jan 15, 2026

Came here searching for this.

Something that threw me off is that --help command does not show this option.

$ spotlight server --help
🔎 [Spotlight] Spotlight by Sentry - v4.10.0

server - Start the Spotlight sidecar server (default command)

Usage: spotlight [server] [options]

Start the Spotlight sidecar HTTP server.

This is the default command when running 'spotlight' without arguments.
The server listens for events from Sentry SDKs and serves the Spotlight UI.

The server provides:
  - HTTP endpoint for receiving Sentry envelopes
  - Server-Sent Events (SSE) stream for real-time updates
  - Web UI at http://localhost:PORT

Examples:
  spotlight                          # Start on default port 8969
  spotlight server                   # Explicit server command
  spotlight --open                   # Start and open dashboard in browser
  spotlight --port 3000              # Start on port 3000
  spotlight -p 3000 -d               # Start on port 3000 with debug logging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CORS restrictions missing configuration for additional allowed origins

3 participants

@BYK @gajus