fix: allow custom control UI origins

Ishan Godawatta · Ishan Godawatta · commit 5d19030888d5 · 2026-04-28T15:45:41.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ Docs: https://docs.openclaw.ai
 - Active Memory docs: document the `cacheTtlMs` 1000-120000 ms range and 15000 ms default so setup snippets do not lead users past the schema limit. Fixes #65708. (#65737) Thanks @WuKongAI-CMU.
 - fix(agents): canonicalize provider aliases in byProvider tool policy lookup [AI]. (#72917) Thanks @pgondhi987.
 - fix(security): block npm_execpath injection from workspace .env [AI-assisted]. (#73262) Thanks @pgondhi987.
+- Gateway/Control UI: match custom-scheme browser origins such as `tauri://localhost` against explicit `gateway.controlUi.allowedOrigins` entries, so desktop wrappers do not need wildcard origins. Fixes #46520. Thanks @mosidevv.
 - Tools/web_fetch: decode response bodies from raw bytes using declared HTTP, XML, or HTML meta charsets before extraction, so Shift_JIS and other legacy-charset pages no longer return mojibake. Fixes #72916. Thanks @amknight.
 - Active Memory: skip payload-less `memory_search` transcript tool results when building debug telemetry, so newer empty entries no longer hide the latest useful debug payload. (#68773) Thanks @SimbaKingjoe.
 - Channels/Discord: bound message read/search REST calls, route those actions through Gateway execution, and fall back to `CommandTargetSessionKey` for inbound hook session keys so Discord reads do not hang and hooks still fire when `SessionKey` is empty. Fixes #73431. (#73521) Thanks @amknight.
diff --git a/src/gateway/origin-check.test.ts b/src/gateway/origin-check.test.ts
@@ -56,6 +56,24 @@ describe("checkBrowserOrigin", () => {
       },
       expected: { ok: true as const, matchedBy: "allowlist" as const },
     },
+    {
+      name: "accepts allowlisted custom-scheme origins",
+      input: {
+        requestHost: "gateway.example.com:18789",
+        origin: "tauri://LOCALHOST",
+        allowedOrigins: ["tauri://localhost"],
+      },
+      expected: { ok: true as const, matchedBy: "allowlist" as const },
+    },
+    {
+      name: "rejects unlisted custom-scheme origins",
+      input: {
+        requestHost: "gateway.example.com:18789",
+        origin: "electron://localhost",
+        allowedOrigins: ["tauri://localhost"],
+      },
+      expected: { ok: false as const, reason: "origin not allowed" },
+    },
     {
       name: "rejects missing origin",
       input: {
diff --git a/src/gateway/origin-check.ts b/src/gateway/origin-check.ts
@@ -20,8 +20,12 @@ function parseOrigin(
   }
   try {
     const url = new URL(trimmed);
+    const origin =
+      url.origin === "null" && url.protocol && url.host
+        ? `${url.protocol}//${url.host}`
+        : url.origin;
     return {
-      origin: normalizeLowercaseStringOrEmpty(url.origin),
+      origin: normalizeLowercaseStringOrEmpty(origin),
       host: normalizeLowercaseStringOrEmpty(url.host),
       hostname: normalizeLowercaseStringOrEmpty(url.hostname),
     };
