Secure sidecar with cors origin restrictions #1138
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: burak.kaya <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
BYK
commented
Nov 20, 2025
Co-authored-by: burak.kaya <[email protected]>
Co-authored-by: burak.kaya <[email protected]>
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| const hostname = url.hostname.toLowerCase(); | ||
|
|
||
| // Allow localhost with any port and protocol (http or https) | ||
| if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]") { |
There was a problem hiding this comment.
Bug: The isAllowedOrigin function incorrectly checks for hostname === "[::1]" when the URL API strips brackets, causing IPv6 localhost to be rejected.
Severity: CRITICAL | Confidence: High
🔍 Detailed Analysis
The isAllowedOrigin function incorrectly compares the hostname extracted from a URL. The JavaScript URL API parses IPv6 addresses like [::1] to ::1 (without brackets) for the hostname property. However, the if condition at packages/spotlight/src/server/utils/cors.ts:22 checks for hostname === "[::1]". This mismatch causes the comparison "::1" === "[::1]" to evaluate to false, preventing IPv6 localhost addresses from being correctly identified as allowed origins. This leads to all requests from IPv6 localhost addresses ([::1]) being incorrectly rejected by the CORS middleware, breaking local development for IPv6 users.
💡 Suggested Fix
Modify packages/spotlight/src/server/utils/cors.ts:22 to change the comparison from hostname === "[::1]" to hostname === "::1" to correctly identify IPv6 localhost addresses.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: packages/spotlight/src/server/utils/cors.ts#L22
Potential issue: The `isAllowedOrigin` function incorrectly compares the `hostname`
extracted from a URL. The JavaScript `URL` API parses IPv6 addresses like `[::1]` to
`::1` (without brackets) for the `hostname` property. However, the `if` condition at
`packages/spotlight/src/server/utils/cors.ts:22` checks for `hostname === "[::1]"`. This
mismatch causes the comparison `"::1" === "[::1]"` to evaluate to `false`, preventing
IPv6 localhost addresses from being correctly identified as allowed origins. This leads
to all requests from IPv6 localhost addresses (`[::1]`) being incorrectly rejected by
the CORS middleware, breaking local development for IPv6 users.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference_id: 2843300
MathurAditya724
approved these changes
Nov 20, 2025
BYK
deleted the
cursor/secure-sidecar-with-cors-origin-restrictions-ccdd
branch
BYK
added a commit
that referenced
this pull request
Nov 21, 2025
BYK
added a commit
that referenced
this pull request
Nov 21, 2025
betegon
added a commit
that referenced
this pull request
Dec 1, 2025
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or [setup this action to publish automatically](https://github.com/changesets/action#with-publishing). If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @spotlightjs/[email protected] ### Minor Changes - Added spotlight sdk for helping others to build on top of it ([#1140](#1140)) - Support COMPOSE_FILE environment variable for Docker Compose projects ([#1131](#1131)) - Prompt user to choose between docker compose and package.json when both are present ([#1120](#1120)) ### Patch Changes - Refactor docker compose support ([#1121](#1121)) - disable sentry in development mode ([#1143](#1143)) - **Security:** Restrict CORS origins for Sidecar to prevent unauthorized access ([#1138](#1138)) The Sidecar now only accepts requests from trusted origins: - `localhost` with any port or protocol (http/https) - `https://spotlightjs.com` and `https://*.spotlightjs.com` (HTTPS only, default port)⚠️ **Potentially Breaking:** If you were accessing the Sidecar from other origins (e.g., custom domains, non-HTTPS spotlightjs.com), those connections will now be rejected. This change improves security by preventing malicious websites from connecting to your local Sidecar instance. - Fix file capture error handling to log errors instead of crashing when SPOTLIGHT_CAPTURE is enabled ([#1142](#1142)) --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Miguel Betegón <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #1137.
Restrict CORS Origins for Sidecar Security
This PR implements a security enhancement by restricting Cross-Origin Resource Sharing (CORS) for the Spotlight Sidecar to a predefined set of trusted origins.
Why this change?
This change prevents unauthorized domains from making requests to the Spotlight Sidecar, significantly improving its security posture without hindering local development workflows.
Key Changes:
isAllowedOriginUtility: A new function (packages/spotlight/src/server/utils/cors.ts) was created to validate incoming origins. It permitslocalhost,127.0.0.1, and[::1](IPv6 localhost) with any port or protocol. It also allowshttps://spotlightjs.comand its HTTPS subdomains (https://*.spotlightjs.com), specifically requiring HTTPS and default ports (443 or unspecified). All other origins are rejected.packages/spotlight/src/server/main.tsnow utilizes theisAllowedOriginfunction to dynamically validate request origins, replacing the previously permissive configuration.isAllowedOriginand integration tests for actual CORS header behavior have been added (packages/spotlight/src/server/routes/__tests__/server.test.ts) to ensure correct and secure operation across all scenarios.