[Bug]: Browser relay (port 18792) rejects CORS preflight OPTIONS requests — Chrome extension can't authenticate #23842
Description
Summary
## Summary
The browser relay server on the default CDP relay port (18792) returns `401 Unauthorized` on CORS
preflight `OPTIONS` requests, preventing the Chrome extension options page from validating the gateway
token.
### Steps to reproduce
## Environment
- OpenClaw: 2026.2.21-2
- OS: macOS 15.7.4 (x64)
- Node: 25.6.1
- Chrome: 145.0.0.0
- Extension: v0.1.0 (unpacked via `openclaw browser extension install`)
- Gateway port: 18789 (default)
- Relay port: 18792 (gateway + 3)
### Expected behavior
## Expected
Extension options page shows: "Relay reachable and authenticated at http://127.0.0.1:18792/"
### Actual behavior
## Actual
Extension options page shows: **"Gateway token rejected. Check token and save again."**
### OpenClaw version
2026.2.21-2
### Operating system
macOS 15.7.4 (x64)
### Install method
### Logs, screenshots, and evidence
```shell
Impact and severity
No response
Additional information
Steps to Reproduce
- Install OpenClaw, start gateway
- Install Chrome extension via
openclaw browser extension install+ load unpacked - Open extension Options page
- Enter port
18792and the correct gateway token - Click Save
Root Cause
The extension options page (options.js) sends a fetch() GET request to
http://127.0.0.1:18792/json/version with a custom header x-openclaw-relay-token. Because this is a
cross-origin request with a custom header, Chrome sends a CORS preflight OPTIONS request first —
without the auth header (per HTTP spec).
The relay returns 401 Unauthorized on the preflight:
$ curl -X OPTIONS
-H "Origin: chrome-extension://gnnfbkbcdhkhbglmkgdpidkjaeekgphl"
-H "Access-Control-Request-Method: GET"
-H "Access-Control-Request-Headers: x-openclaw-relay-token"
http://127.0.0.1:18792/json/version
HTTP/1.1 401 Unauthorized
Meanwhile, the actual GET request with the token works fine:
$ curl -H "x-openclaw-relay-token: <token>" http://127.0.0.1:18792/json/version
HTTP/1.1 200 OK
{"Browser":"OpenClaw/extension-relay","Protocol-Version":"1.3"}
Suggested Fix
The relay server should respond to OPTIONS preflight requests with 200 OK and appropriate
Access-Control-Allow-* headers (at minimum for chrome-extension:// origins) without requiring the
auth token on the preflight itself.
Workaround
None found for the Chrome extension relay. Users can use the openclaw managed browser profile as an
alternative.
Labels
bug, browser