fix: handle CORS preflight OPTIONS requests in browser relay#23962
Closed
miloudbelarebia wants to merge 1 commit intoopenclaw:mainfrom
Closed
fix: handle CORS preflight OPTIONS requests in browser relay#23962miloudbelarebia wants to merge 1 commit intoopenclaw:mainfrom
miloudbelarebia wants to merge 1 commit intoopenclaw:mainfrom
Conversation
src/browser/extension-relay.ts
Outdated
|
|
||
| // Handle CORS preflight requests from the browser extension. | ||
| if (req.method === "OPTIONS") { | ||
| const origin = getHeader(req, "origin") ?? "*"; |
Contributor
There was a problem hiding this comment.
OPTIONS handler accepts any origin, but WebSocket upgrade (line 510) validates chrome-extension:// prefix - consider same validation here for consistency
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/browser/extension-relay.ts
Line: 369
Comment:
OPTIONS handler accepts any origin, but WebSocket upgrade (line 510) validates `chrome-extension://` prefix - consider same validation here for consistency
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise.Add OPTIONS handler with proper CORS headers for the browser extension relay. Validate the Origin header against the chrome-extension:// prefix, consistent with the WebSocket upgrade path, to reject cross-origin preflight from non-extension origins. Fixes openclaw#23842
b3ef610 to
9a77fe4
Compare
steipete
added a commit
that referenced
this pull request
Feb 26, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR #23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
Contributor
|
Landed on What I changed while landing:
SHA mapping:
Thanks for the fix, @miloudbelarebia. |
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 27, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 27, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 27, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 27, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 27, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 27, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
execute008
pushed a commit
to execute008/openclaw
that referenced
this pull request
Feb 27, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
r4jiv007
pushed a commit
to r4jiv007/openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
mylukin
pushed a commit
to mylukin/openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com> (cherry picked from commit 58b1edf)
vincentkoc
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
vincentkoc
pushed a commit
to rylena/rylen-openclaw
that referenced
this pull request
Feb 28, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
Contributor
Author
|
Thanks @steipete — glad the fix was useful. The expanded CORS handling + regression tests look solid. Appreciate the changelog reference too. |
steipete
added a commit
to Sid-Qin/openclaw
that referenced
this pull request
Mar 2, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
robertchang-ga
pushed a commit
to robertchang-ga/openclaw
that referenced
this pull request
Mar 2, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
dorgonman
pushed a commit
to kanohorizonia/openclaw
that referenced
this pull request
Mar 3, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
zooqueen
pushed a commit
to hanzoai/bot
that referenced
this pull request
Mar 6, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
thebenjaminlee
pushed a commit
to escape-velocity-ventures/openclaw
that referenced
this pull request
Mar 7, 2026
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Access-Control-Allow-Origin,Access-Control-Allow-Methods,Access-Control-Allow-Headerswith the relay auth header nameTest plan
Fixes #23842
Greptile Summary
Added CORS preflight (OPTIONS) handler to the browser relay HTTP server. The implementation returns 204 status with
Access-Control-Allow-Origin(echoing the request origin or*),Access-Control-Allow-Methods,Access-Control-Allow-Headers(including the relay auth header), andAccess-Control-Max-Ageheaders. This enables Chrome extensions to make cross-origin requests to the relay server.Confidence Score: 4/5
chrome-extension://origins on line 510. While this may be intentional for flexibility, it creates an inconsistency in security posture.Last reviewed commit: b3ef610