Add localhost:7445 to Quick Edit allowed parent origins#13046
Conversation
penalosa
added
the
skip-pr-description-validation
|
|
Codeowners approval required for this PR:
Show detailed file reviewers
|
![ask-bonk[bot]](https://avatars.githubusercontent.com/in/2454580?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
I'm Bonk, and I've done a quick review of your PR. Review posted on PR #13046. Two issues flagged:
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
wrangler
commit: |
|
/bonk add a commit to this PR changing to only allow localhost:8445 |
There was a problem hiding this comment.
The change itself is straightforward, but it introduces dead code and has a security implication worth calling out explicitly (both already noted by the bot reviews).
Dead code: After this change, LOCALHOST_ORIGIN_WILDCARDS (line 24) and the isLocalDev conditional block (lines 44-46) are redundant. "http://localhost:*" is now unconditionally present in ALLOWED_PARENT_ORIGIN_WILDCARDS, so the conditional push just adds a duplicate. If this is intentional, those should be cleaned up in the same PR.
Security posture change: Previously, http://localhost:* was only included in frame-ancestors and the postMessage allow-list when the Quick Edit worker was itself running on localhost (i.e. local dev via wrangler dev). This change makes production Quick Edit accept iframe embedding and postMessage IPC from any http://localhost:<port> origin. That means any local HTTP server on a user's machine (browser extensions, other local apps, etc.) can embed production Quick Edit and receive the MessagePort passed at workbench.ts:150. This is likely low-severity since it requires local access, but it's a deliberate relaxation of the production CSP — confirming this is intentional would be good.
If this is intentional, I'd suggest a follow-up commit that removes the now-dead LOCALHOST_ORIGIN_WILDCARDS constant and the isLocalDev conditional block to keep the code clean.
|
I've posted a review on PR #13046. The review covers two points:
|
|
Codeowners approval required for this PR:
Show detailed file reviewers
|
|
/bonk add a commit to this PR changing to only allow localhost:8445 |
|
Done. The commit (
This tightens the allowed localhost origin from any port to only port 8445. |
|
Done. I've made two changes in
|
|
This is already addressed — commit |
|
The port is already set to 7445 on line 10 of |
penalosa
changed the title
localhost:* to Quick Edit allowed parent originslocalhost:7445 to Quick Edit allowed parent origins
dario-piotrowicz
left a comment
dario-piotrowicz
left a comment
There was a problem hiding this comment.
Could you explain the context for this PR what's special about port 7445? 😕
+1 to this. Would love a bit more detail on why this is needed @penalosa. |
Replace http://localhost:* wildcard with http://localhost:8445 and clean up the now-unused LOCALHOST_ORIGIN_WILDCARDS constant and isLocalDev conditional block.
|
Codeowners approval required for this PR:
Show detailed file reviewers |
penalosa
force-pushed
the
penalosa-patch-19
branch
from
6058f4e to
08cb4a7
Compare
workers-devprod
left a comment
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
Co-authored-by: ask-bonk[bot] <ask-bonk[bot]@users.noreply.github.com>
4 participants
This allows the production editor to be embedded in apps running locally.