Skip to content

feat(mcp): support wildcard port in allowedOrigins and blockedOrigins #38944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
saarya-cyera wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(mcp): support wildcard port in allowedOrigins and blockedOrigins #38944

saarya-cyera wants to merge 1 commit into from
+51 −0

Conversation

@saarya-cyera
Copy link

@saarya-cyera saarya-cyera commented Jan 24, 2026

Summary

Add support for wildcard port syntax like http://localhost:* in the network.allowedOrigins and network.blockedOrigins config options. This allows restricting browser requests to a specific protocol and hostname while accepting any port number.

Fixes microsoft/playwright-mcp#1337

Changes

  • packages/playwright/src/mcp/browser/context.ts: Update originOrHostGlob() to detect wildcard port patterns and generate the correct glob pattern
  • packages/playwright/src/mcp/config.d.ts: Document supported origin formats in JSDoc
  • tests/mcp/request-blocking.spec.ts: Add 4 tests for wildcard port functionality

Problem

Previously, patterns like http://localhost:* would fail to parse as a valid URL, causing the code to fall through to legacy host-only mode and generate an invalid glob pattern like *://http://localhost:*/** which never matches anything.

Solution

Detect wildcard port patterns with regex before attempting URL parsing:

const wildcardPortMatch = originOrHost.match(/^(https?):\/\/([^/:]+):\*$/);
if (wildcardPortMatch) {
  const [, protocol, hostname] = wildcardPortMatch;
  return `${protocol}://${hostname}:*/**`;
}
Input Previous Output New Output
http://localhost:* *://http://localhost:*/** http://localhost:*/**
https://example.com:* *://https://example.com:*/** https://example.com:*/**
http://localhost:8000 http://localhost:8000/** (unchanged)
localhost *://localhost/** (unchanged)

Use Case

This is useful when you want to:

  • Allow only HTTP (not HTTPS) traffic to localhost
  • Allow localhost on any port while blocking other hosts
  • Have more granular control over protocol while keeping port flexibility

@saarya-cyera
feat(mcp): support wildcard port in allowedOrigins and blockedOrigins
6f842bc 
Add support for wildcard port syntax like `http://localhost:*` in the
network.allowedOrigins and network.blockedOrigins config options. This
allows restricting browser requests to a specific protocol and hostname
while accepting any port number.

Previously, patterns like `http://localhost:*` would fail to parse as a
valid URL, causing the code to fall through to legacy host-only mode
and generate an invalid glob pattern like `*://http://localhost:*/**`.

The fix detects wildcard port patterns and generates the correct glob
pattern `http://localhost:*/**` which properly matches any port.
@saarya-cyera saarya-cyera force-pushed the fix/mcp-origin-wildcard-port branch from 7608161 to 6f842bc Compare January 24, 2026 05:35
@saarya-cyera
Copy link
Author

saarya-cyera commented Jan 24, 2026

@microsoft-github-policy-service agree company="Cyera"

yury-s
yury-s reviewed Jan 26, 2026
View reviewed changes
packages/playwright/src/mcp/browser/context.ts
const wildcardPortMatch = originOrHost.match(/^(https?):\/\/([^/:]+):\*$/);
if (wildcardPortMatch) {
const [, protocol, hostname] = wildcardPortMatch;
return `${protocol}://${hostname}:*/**`;
Copy link
Member

@yury-s yury-s Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to capture separate groups:

  const wildcardPortMatch = originOrHost.match(/^(https?:\/\/[^/:]+):\*$/);
  if (wildcardPortMatch)
    return `${wildcardPortMatch[1]}:*/**`;

packages/playwright/src/mcp/config.d.ts
* List of origins to allow the browser to request. Default is to allow all. Origins matching both `allowedOrigins` and `blockedOrigins` will be blocked.
*
* Supported formats:
* - Full origin: `https://example.com` - matches only that origin
Copy link
Member

@yury-s yury-s Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add port number to the example origin

packages/playwright/src/mcp/config.d.ts
*
* Supported formats:
* - Full origin: `https://example.com` - matches only that origin
* - Hostname only: `example.com` - matches any protocol on that host
Copy link
Member

@yury-s yury-s Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this line as it is for legacy mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yury-s yury-s yury-s approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: MCP --allowed-origins with wildcard port (http://localhost:*) generates invalid glob pattern

2 participants

@saarya-cyera @yury-s