feat(sidecar): Add --allowed-origin CLI option for custom CORS origins #1176
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add allowedOrigins option to CLI and setupSidecar API for configuring additional CORS origins beyond the built-in defaults (localhost, machine IPs, spotlightjs.com). This addresses use cases like custom local domains, tunneling services (ngrok, localtunnel), Docker containers, and LAN access. The option supports two matching modes: full origins (e.g., https://ngrok.io:443) for strict matching, and plain domains (e.g., myapp.local) to allow any protocol/port combination. Multiple origins can be specified via repeatable flags or comma-separated values. Fixes #1171
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
BYK
pushed a commit
that referenced
this pull request
Dec 3, 2025
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or [setup this action to publish automatically](https://github.com/changesets/action#with-publishing). If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @spotlightjs/[email protected] ### Minor Changes - Add `--allowed-origin` / `-A` CLI option and `allowedOrigins` API option for configuring additional CORS origins. Supports both full origins (e.g., `https://ngrok.io:443`) for strict matching and plain domains (e.g., `myapp.local`) for permissive matching. Fixes [#1171](#1171). ([#1176](#1176)) ### Patch Changes - Restore draggable electron app and recover semaphore buttons ([#1173](#1173)) - Allow any DNS pointing to localhost in CORS ([#1175](#1175)) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add allowedOrigins option to CLI and setupSidecar API for configuring
additional CORS origins beyond the built-in defaults (localhost, machine
IPs, spotlightjs.com). This addresses use cases like custom local domains,
tunneling services (ngrok, localtunnel), Docker containers, and LAN access.
The option supports two matching modes: full origins (e.g.,
https://ngrok.io:443)for strict matching, and plain domains (e.g.,
myapp.local) to allow anyprotocol/port combination. Multiple origins can be specified via repeatable
flags or comma-separated values.
Fixes #1171