From de85300e4b605f97e70815d7f552681fb8e60616 Mon Sep 17 00:00:00 2001 From: g0w6y Date: Tue, 26 May 2026 11:37:20 +0530 Subject: [PATCH] fix(dev): restrict default CORS origins and WebSocket allowed origins to localhost The dev server defaulted to a wildcard CORS policy (Access-Control-Allow-Origin: *) and registered the /run_live WebSocket endpoint with setAllowedOrigins("*"). Any page loaded from an arbitrary origin could therefore read HTTP responses and complete a cross-origin WebSocket handshake against a locally running dev server, giving a remote site read and drive access to the agent. - AdkWebCorsProperties: change the default allowed-origins fallback from ["*"] to ["http://localhost:8080", "http://127.0.0.1:8080"] so the dev UI keeps working out of the box while all other origins are rejected by the browser. - WebSocketConfig: inject AdkWebCorsProperties and derive the WebSocket allowed-origins list from the same property, eliminating the separate hardcoded wildcard and keeping both policies in sync. Users who need a broader allowlist can set adk.web.cors.origins explicitly. --- .../google/adk/web/config/AdkWebCorsProperties.java | 5 ++++- .../com/google/adk/web/websocket/WebSocketConfig.java | 10 ++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java b/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java index c96dce91e..7de0f77a2 100644 --- a/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java +++ b/dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java @@ -34,7 +34,10 @@ public record AdkWebCorsProperties( public AdkWebCorsProperties { mapping = mapping != null ? mapping : "/**"; - origins = origins != null && !origins.isEmpty() ? origins : List.of("*"); + origins = + origins != null && !origins.isEmpty() + ? origins + : List.of("http://localhost:8080", "http://127.0.0.1:8080"); methods = methods != null && !methods.isEmpty() ? methods diff --git a/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java b/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java index d3c09cf8b..a17d72aff 100644 --- a/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java +++ b/dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java @@ -16,6 +16,7 @@ package com.google.adk.web.websocket; +import com.google.adk.web.config.AdkWebCorsProperties; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.web.socket.config.annotation.EnableWebSocket; @@ -28,14 +29,19 @@ public class WebSocketConfig implements WebSocketConfigurer { private final LiveWebSocketHandler liveWebSocketHandler; + private final AdkWebCorsProperties corsProperties; @Autowired - public WebSocketConfig(LiveWebSocketHandler liveWebSocketHandler) { + public WebSocketConfig( + LiveWebSocketHandler liveWebSocketHandler, AdkWebCorsProperties corsProperties) { this.liveWebSocketHandler = liveWebSocketHandler; + this.corsProperties = corsProperties; } @Override public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) { - registry.addHandler(liveWebSocketHandler, "/run_live").setAllowedOrigins("*"); + registry + .addHandler(liveWebSocketHandler, "/run_live") + .setAllowedOrigins(corsProperties.origins().toArray(new String[0])); } }