Skip to content

Bind serve to loopback and reject non-local WebSocket origins#177

Open
paulsmith wants to merge 1 commit into
mainfrom
codex/serve-loopback-origins
Open

Bind serve to loopback and reject non-local WebSocket origins#177
paulsmith wants to merge 1 commit into
mainfrom
codex/serve-loopback-origins

Conversation

@paulsmith

Copy link
Copy Markdown
Collaborator

Summary

Bind vibium serve to loopback by default and reject non-local WebSocket origins.

Root Cause

The proxy server printed a ws://localhost:... endpoint, but clicker/internal/api/server.go actually listened on :port, which exposed the server on every interface. The same server also accepted every WebSocket origin via CheckOrigin, so any reachable browser page could attach if the port was accessible.

What Changed

  • default the WebSocket server host to 127.0.0.1
  • route Start() through the loopback listen address instead of all interfaces
  • reject non-local Origin headers while still allowing clients that send no Origin
  • add regression tests for loopback binding and cross-origin rejection

Impact

This keeps serve aligned with its local-only contract and closes an avoidable remote-control surface for browser automation.

Validation

  • cd clicker && GOCACHE=/private/tmp/vibium-go-build-cache go test ./internal/api

Notes

  • go test ./... still fails for a pre-existing repository issue: clicker/cmd/clicker/skill.go embeds a missing SKILL.md.

@paulsmith paulsmith marked this pull request as ready for review June 14, 2026 23:03
@paulsmith paulsmith changed the title [codex] Bind serve to loopback and reject non-local WebSocket origins Bind serve to loopback and reject non-local WebSocket origins Jun 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant