Problem

Commit d9ed848 (#1138) introduced CORS origin restrictions to the sidecar for security. However, the implementation hardcodes allowed origins with no way to configure additional ones.

The only allowed origins are:

• localhost / 127.0.0.1 / [::1] (any port/protocol)
• https://spotlightjs.com and subdomains (HTTPS only, default port)

Broken Use Cases

This breaks legitimate development scenarios:

• Custom local domains - myapp.local, dev.myapp.test (common with /etc/hosts)
• Docker containers with custom hostnames
• Tunneling services - ngrok, localtunnel, Cloudflare tunnels (webhook testing, mobile dev)
• VMs with different hostnames
• LAN access from another device (testing on phone/tablet)
• Corporate internal domains like dev.company.internal
• WSL with custom networking

Proposed Solution

Add an allowedOrigins option to SideCarOptions:

export type SideCarOptions = {
  // ...existing options
  
  /**
   * Additional origins to allow for CORS requests.
   * Useful for custom local domains, tunnels, etc.
   */
  allowedOrigins?: string[];
};

The isAllowedOrigin function should check this list in addition to the hardcoded defaults.

References

• Security commit: d9ed848
• Original security issue: Restrict CORS headers for localhost:* and https://local.spotlightjs.com #1137