Skip to content

feat(sidecar): Add --allowed-origin CLI option for custom CORS origins#1176

Merged
BYK merged 4 commits intomainfrom
byk/feat/cors-allow-list
Dec 3, 2025
Merged

feat(sidecar): Add --allowed-origin CLI option for custom CORS origins#1176
BYK merged 4 commits intomainfrom
byk/feat/cors-allow-list

Conversation

@BYK
Copy link
Copy Markdown
Member

@BYK BYK commented Dec 3, 2025
edited
Loading

Add allowedOrigins option to CLI and setupSidecar API for configuring
additional CORS origins beyond the built-in defaults (localhost, machine
IPs, spotlightjs.com). This addresses use cases like custom local domains,
tunneling services (ngrok, localtunnel), Docker containers, and LAN access.

The option supports two matching modes: full origins (e.g., https://ngrok.io:443)
for strict matching, and plain domains (e.g., myapp.local) to allow any
protocol/port combination. Multiple origins can be specified via repeatable
flags or comma-separated values.

Fixes #1171

@BYK
feat(sidecar): Add --allowed-origin CLI option for custom CORS origins
1a7bc46 
Add allowedOrigins option to CLI and setupSidecar API for configuring
additional CORS origins beyond the built-in defaults (localhost, machine
IPs, spotlightjs.com). This addresses use cases like custom local domains,
tunneling services (ngrok, localtunnel), Docker containers, and LAN access.

The option supports two matching modes: full origins (e.g., https://ngrok.io:443)
for strict matching, and plain domains (e.g., myapp.local) to allow any
protocol/port combination. Multiple origins can be specified via repeatable
flags or comma-separated values.

Fixes #1171
@BYK BYK deployed to Preview December 3, 2025 03:15 — with GitHub Actions Active
@vercel
Copy link
Copy Markdown

vercel bot commented Dec 3, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
spotlightjs Skipped Skipped Dec 3, 2025 3:42am

@BYK BYK deployed to Preview December 3, 2025 03:30 — with GitHub Actions Active
@BYK BYK deployed to Preview December 3, 2025 03:42 — with GitHub Actions Active
@BYK BYK marked this pull request as ready for review December 3, 2025 03:47
@BYK BYK merged commit 75a1848 into main Dec 3, 2025
20 checks passed
@BYK BYK deleted the byk/feat/cors-allow-list branch December 3, 2025 03:58
@sentry-release-bot sentry-release-bot bot mentioned this pull request Dec 3, 2025
Merged
BYK pushed a commit that referenced this pull request Dec 3, 2025
@sentry-release-bot @github-actions
meta(changelog): Update package versions (#1177)
1420e48 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and publish to npm
yourself or [setup this action to publish
automatically](https://github.com/changesets/action#with-publishing). If
you're not ready to do a release yet, that's fine, whenever you add more
changesets to main, this PR will be updated.


# Releases
## @spotlightjs/spotlight@4.7.0

### Minor Changes

- Add `--allowed-origin` / `-A` CLI option and `allowedOrigins` API
option for configuring additional CORS origins. Supports both full
origins (e.g., `https://ngrok.io:443`) for strict matching and plain
domains (e.g., `myapp.local`) for permissive matching. Fixes
[#1171](#1171).
([#1176](#1176))

### Patch Changes

- Restore draggable electron app and recover semaphore buttons
([#1173](#1173))

- Allow any DNS pointing to localhost in CORS
([#1175](#1175))

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@gajus
Copy link
Copy Markdown

gajus commented Jan 15, 2026

Came here searching for this.

Something that threw me off is that --help command does not show this option.

$ spotlight server --help
🔎 [Spotlight] Spotlight by Sentry - v4.10.0

server - Start the Spotlight sidecar server (default command)

Usage: spotlight [server] [options]

Start the Spotlight sidecar HTTP server.

This is the default command when running 'spotlight' without arguments.
The server listens for events from Sentry SDKs and serves the Spotlight UI.

The server provides:
  - HTTP endpoint for receiving Sentry envelopes
  - Server-Sent Events (SSE) stream for real-time updates
  - Web UI at http://localhost:PORT

Examples:
  spotlight                          # Start on default port 8969
  spotlight server                   # Explicit server command
  spotlight --open                   # Start and open dashboard in browser
  spotlight --port 3000              # Start on port 3000
  spotlight -p 3000 -d               # Start on port 3000 with debug logging

BYK added a commit that referenced this pull request Jan 21, 2026
@BYK
fix(cli): Show options in command-specific help output
2a833f8 
Extract options help text into a reusable function so that CLI options
(including --allowed-origin) are displayed in both main help and
command-specific help (e.g., spotlight server --help).

Fixes #1176 (comment)
@BYK BYK mentioned this pull request Jan 21, 2026
Merged
@BYK
Copy link
Copy Markdown
Member Author

BYK commented Jan 21, 2026

@gajus sorry for the late response, #1260 is up

BYK added a commit that referenced this pull request Jan 21, 2026
@BYK
fix(cli): Show options in command-specific help output
bea3edc 
Extract options help text into a reusable function so that CLI options
(including --allowed-origin) are displayed in both main help and
command-specific help (e.g., spotlight server --help).

Fixes #1176 (comment)
BYK added a commit that referenced this pull request Jan 21, 2026
@BYK
fix(cli): Show options in command-specific help output (#1260)
96c06dd 
## Summary

- CLI options (e.g., `--allowed-origin`) were not shown in
command-specific help (e.g., `spotlight server --help`)
- Extract options help text into a reusable `getOptionsHelp()` function
- Use this function in both `showMainHelp()` and `showCommandHelp()`

Fixes
#1176 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CORS restrictions missing configuration for additional allowed origins

2 participants

@BYK @gajus