fix(setup-ci-app): serve form via localhost, open default browser#286
Merged
Conversation
File:// URLs block cross-origin POSTs to github.com (CSRF); incognito mode means the user isn't logged in. Python server now handles both the root / (HTML form) and /callback (code exchange), then the script opens http://localhost:PORT/ in the default browser instead of incognito. Also adds issues:write to the app manifest so burndown-tasks sync works. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
file://→https://cross-origin POSTs (GitHub CSRF protection)GET /serves the manifest form,GET /callbackreceives the codeissues: "write"to the app manifest (required for burndown-tasks TODO sync)Root cause
Old script wrote HTML to a temp file and opened
file:///tmp/.../go.html. Browsers treatfile://as opaque origin and block POSTs tohttps://github.com— GitHub returned 500. Script also opened incognito so user wasn't logged in.Test plan
./scripts/setup-ci-app.sh— browser openshttp://localhost:8765/(not file://)🤖 Generated with Claude Code