fix(launcher): add --remote-allow-origins=* for Chromium 142+ ws origin check#1789
Merged
jackwener merged 2 commits intoMay 31, 2026
Merged
Conversation
…in check
Chrome / Electron 142+ enforces an Origin allow-list on the CDP WebSocket
upgrade at ws://127.0.0.1:<port>/devtools/page/<id>. Without this flag,
any external ws client (Python's websocket-client, raw curl, headless
Puppeteer attached after the fact, etc.) gets HTTP 403:
Rejected an incoming WebSocket connection from the
http://127.0.0.1:<port> origin. Use the command line flag
--remote-allow-origins=http://127.0.0.1:<port> to allow
connections from this origin or --remote-allow-origins=* to
allow all origins.
This affects every Electron app opencli auto-launches (codex, doubao,
antigravity, chatgpt) because they all bundle recent Chromium. opencli's
own internal CDP client happens to work because chrome-devtools-protocol
sets a chrome:// origin, but anything else fails — which surfaces
immediately the moment a user pairs opencli with an external ws debugger.
Same mitigation Puppeteer (commit f1b8617), Playwright (commit 24f2ce5),
and chrome-devtools-mcp use: pass --remote-allow-origins=* on launch.
Side effects: None for opencli's own usage. The flag only affects which
origins can establish a CDP ws upgrade — it doesn't open any new
network surface (CDP is still localhost-only because Chromium's
--remote-debugging-port binds to 127.0.0.1 by default).
Verified:
· tsc --build passes
· vitest launcher.test.ts: 9 passed | 1 skipped
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
When opencli auto-launches an Electron app (codex, doubao, antigravity, chatgpt), pass
--remote-allow-origins=*alongside--remote-debugging-port=<port>.Why
Chrome / Electron 142+ enforces an Origin allow-list on the CDP WebSocket upgrade at
ws://127.0.0.1:<port>/devtools/page/<id>. Without the flag, any external ws client gets HTTP 403:This bites the moment someone pairs opencli with an external CDP ws debugger — Python
websocket-client, raw curl, headless Puppeteer attached after launch, custom MCP servers, etc. opencli's own internal CDP client happens to work because chrome-devtools-protocol uses achrome://origin, but anything else fails.How does Puppeteer / Playwright / chrome-devtools-mcp handle this?
Same way — they all set
--remote-allow-origins=*by default:puppeteer/lib/cjs/puppeteer/node/ChromeLauncher.ts(--remote-allow-origins=*inDEFAULT_ARGS)playwright/packages/playwright-core/src/server/registry/dependencies.ts(added in #24517)--remote-allow-origins=*by defaultSide effects
None for opencli's own usage. The flag controls which origins can establish a CDP ws upgrade, not which network interfaces the CDP server binds to. CDP is still localhost-only — Chromium's
--remote-debugging-portbinds 127.0.0.1.Tested
tsc --buildcleanvitest run launcher.test.ts→ 9 passed / 1 skipped (pre-existing skipped)python -m websocketwithout the 403.Diff