nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/src/browser
History
oneaix 216d99e585 fix(browser): derive relay auth token from gateway token in Chrome extension 
The extension relay server authenticates using an HMAC-SHA256 derived
token (`openclaw-extension-relay-v1:<port>`), but the Chrome extension
was sending the raw gateway token. This caused both the WebSocket
connection and the options page validation to fail with 401 Unauthorized.

Additionally, the options page validation request triggered a CORS
preflight (due to the custom `x-openclaw-relay-token` header) which the
relay rejects because OPTIONS requests lack auth headers. The options
page now delegates the check to the background service worker which has
host_permissions and bypasses CORS preflight.

Fixes #23842

Co-authored-by: Cursor <cursoragent@cursor.com>
(cherry picked from commit bbc654b9f0)
 		2026-02-23 18:56:14 +00:00
..
routes fix(browser): block upload symlink escapes (#21972) 2026-02-20 16:36:25 +00:00
bridge-auth-registry.ts fix(security): enforce sandbox bridge auth 2026-02-14 13:17:41 +01:00
bridge-server.auth.test.ts test: dedupe repeated test fixtures and assertions 2026-02-22 18:37:25 +00:00
bridge-server.ts fix(sandbox): use one-time noVNC observer tokens 2026-02-21 13:56:58 +01:00
browser-utils.test.ts fix: harden extension relay auth token flow 2026-02-21 19:24:42 +01:00
cdp.helpers.ts refactor(browser): share checked fetch helper for cdp 2026-02-18 18:33:40 +00:00
cdp.test.ts refactor(browser): centralize navigation guard enforcement 2026-02-21 11:46:11 +01:00
cdp.ts refactor(browser): centralize navigation guard enforcement 2026-02-21 11:46:11 +01:00
chrome-extension-background-utils.test.ts fix(browser): derive relay auth token from gateway token in Chrome extension 2026-02-23 18:56:14 +00:00
chrome-extension-manifest.test.ts fix(browser): harden extension relay worker recovery 2026-02-22 19:08:38 +01:00
chrome-user-data-dir.test-harness.ts refactor(browser): dedupe control-server test harness 2026-02-22 17:54:51 +00:00
chrome.default-browser.test.ts test: dedupe repeated test fixtures and assertions 2026-02-22 18:37:25 +00:00
chrome.executables.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
chrome.profile-decoration.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
chrome.test.ts test: dedupe repeated test fixtures and assertions 2026-02-22 18:37:25 +00:00
chrome.ts style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
client-actions-core.ts refactor(browser): share download request helper 2026-02-18 18:54:27 +00:00
client-actions-observe.ts style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
client-actions-state.ts refactor(browser): share client-actions url helpers 2026-02-15 18:22:10 +00:00
client-actions-types.ts feat(browser): expand browser control surface 2026-01-12 17:32:44 +00:00
client-actions-url.ts refactor(browser): share client-actions url helpers 2026-02-15 18:22:10 +00:00
client-actions.ts feat(browser): expand browser control surface 2026-01-12 17:32:44 +00:00
client-fetch.loopback-auth.test.ts refactor(security): unify local-host and tailnet CIDR checks 2026-02-22 17:20:27 +01:00
client-fetch.ts refactor(security): unify local-host and tailnet CIDR checks 2026-02-22 17:20:27 +01:00
client.test.ts refactor(channels): dedupe transport and gateway test scaffolds 2026-02-16 14:59:31 +00:00
client.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
config.test.ts refactor(test): standardize env helpers across suites 2026-02-21 19:13:46 +00:00
config.ts fix(browser): unify SSRF guard path for navigation 2026-02-19 13:44:01 +01:00
constants.ts refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
control-auth.auto-token.test.ts test: dedupe gateway browser discord and channel coverage 2026-02-22 17:11:54 +00:00
control-auth.test.ts test(browser): dedupe auth mode no-token assertions 2026-02-19 08:25:12 +00:00
control-auth.ts Security: default gateway auth bootstrap and explicit mode none (#20686) 2026-02-19 02:35:50 -05:00
control-service.ts refactor(browser): share control lifecycle helpers 2026-02-18 17:48:02 +00:00
csrf.ts fix(browser): annotate csrf middleware type 2026-02-14 15:54:29 +01:00
extension-relay-auth.test.ts Browser relay: accept raw gateway token in extension auth 2026-02-23 18:56:14 +00:00
extension-relay-auth.ts Browser relay: accept raw gateway token in extension auth 2026-02-23 18:56:14 +00:00
extension-relay.test.ts Browser relay: accept raw gateway token in extension auth 2026-02-23 18:56:14 +00:00
extension-relay.ts Browser relay: accept raw gateway token in extension auth 2026-02-23 18:56:14 +00:00
http-auth.ts refactor(browser): centralize http auth 2026-02-14 13:30:11 +01:00
navigation-guard.test.ts fix(browser): block non-network navigation schemes 2026-02-21 11:31:53 +01:00
navigation-guard.ts refactor(browser): centralize navigation guard enforcement 2026-02-21 11:46:11 +01:00
paths.test.ts Browser: accept canonical upload paths for symlinked roots 2026-02-21 21:54:57 -08:00
paths.ts Browser: accept canonical upload paths for symlinked roots 2026-02-21 21:54:57 -08:00
profiles-service.test.ts style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
profiles-service.ts style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
profiles.test.ts test: optimize gateway infra memory and security coverage 2026-02-21 21:44:50 +00:00
profiles.ts chore: Enable `typescript/no-explicit-any` rule. 2026-02-02 16:18:09 +09:00
proxy-files.ts refactor(browser): share proxy file helpers 2026-02-14 15:39:45 +00:00
pw-ai-module.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
pw-ai-state.ts perf(test): reduce hot-suite import and setup overhead 2026-02-13 20:26:39 +00:00
pw-ai.test.ts chore: Fix types in tests 45/N. 2026-02-17 15:50:07 +09:00
pw-ai.ts perf(test): reduce hot-suite import and setup overhead 2026-02-13 20:26:39 +00:00
pw-role-snapshot.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
pw-role-snapshot.ts refactor: extract shared dedupe helpers for runtime paths 2026-02-23 05:43:43 +00:00
pw-session.browserless.live.test.ts perf(test): use expect.poll in browserless live test 2026-02-18 22:06:44 +00:00
pw-session.create-page.navigation-guard.test.ts test(core): reduce mock reset overhead in targeted suites 2026-02-22 08:40:29 +00:00
pw-session.get-page-for-targetid.extension-fallback.test.ts test(core): use lightweight clears in subagent and browser setup 2026-02-22 08:07:41 +00:00
pw-session.mock-setup.ts fix(ci): add explicit mock types in pw-session mock setup 2026-02-22 08:05:12 +00:00
pw-session.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
pw-session.ts style(browser): apply oxfmt cleanup for gate 2026-02-21 13:16:07 +01:00
pw-tools-core.activity.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
pw-tools-core.clamps-timeoutms-scrollintoview.test.ts test(browser): table-drive scroll and click error rewrites 2026-02-21 23:58:33 +00:00
pw-tools-core.downloads.ts refactor(browser): share playwright download wait/save flow 2026-02-18 18:25:25 +00:00
pw-tools-core.interactions.evaluate.abort.test.ts test: dedupe and optimize test suites 2026-02-19 15:19:38 +00:00
pw-tools-core.interactions.ts fix: prevent act:evaluate hangs from getting browser tool stuck/killed (#13498) 2026-02-11 07:54:48 +08:00
pw-tools-core.last-file-chooser-arm-wins.test.ts chore: Fix types in tests 45/N. 2026-02-17 15:50:07 +09:00
pw-tools-core.responses.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
pw-tools-core.screenshots-element-selector.test.ts refactor(test): share pw-tools-core test setup 2026-02-14 21:20:43 +00:00
pw-tools-core.shared.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
pw-tools-core.snapshot.navigate-guard.test.ts refactor(browser): centralize navigation guard enforcement 2026-02-21 11:46:11 +01:00
pw-tools-core.snapshot.ts refactor(browser): unify navigation guard path and error typing 2026-02-19 14:04:18 +01:00
pw-tools-core.state.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
pw-tools-core.storage.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
pw-tools-core.test-harness.ts refactor(test): share pw-tools-core test setup 2026-02-14 21:20:43 +00:00
pw-tools-core.trace.ts chore: migrate to oxlint and oxfmt 2026-01-14 15:02:19 +00:00
pw-tools-core.ts refactor(browser): split pw tools + agent routes 2026-01-14 05:39:44 +00:00
pw-tools-core.waits-next-download-saves-it.test.ts test(browser): dedupe CDP and download setup helpers 2026-02-19 07:24:02 +00:00
resolved-config-refresh.ts style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
screenshot.test.ts test: move browser and web auto-reply local suites out of e2e 2026-02-22 11:05:26 +00:00
screenshot.ts refactor(media): share image resize side grid and quality steps 2026-02-18 18:25:25 +00:00
server-context.chrome-test-harness.ts refactor(browser): dedupe control-server test harness 2026-02-22 17:54:51 +00:00
server-context.ensure-tab-available.prefers-last-target.test.ts style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
server-context.hot-reload-profiles.test.ts test: dedupe and optimize test suites 2026-02-19 15:19:38 +00:00
server-context.remote-tab-ops.test.ts test: dedupe fixtures and test harness setup 2026-02-23 05:45:54 +00:00
server-context.ts fix(browser): recover stale remote target ids 2026-02-22 19:08:38 +01:00
server-context.types.ts refactor(core): dedupe browser route signatures and cli watchdog schema 2026-02-18 14:15:20 +00:00
server-lifecycle.test.ts test(browser): use lightweight clears in server lifecycle setup 2026-02-22 08:01:15 +00:00
server-lifecycle.ts refactor(browser): share control lifecycle helpers 2026-02-18 17:48:02 +00:00
server-middleware.ts refactor(browser): share common server middleware 2026-02-15 04:46:10 +00:00
server.agent-contract-form-layout-act-commands.test.ts chore: Fix types in tests 9/N. 2026-02-17 11:22:49 +09:00
server.agent-contract-snapshot-endpoints.test.ts chore: Fix types in tests 21/N. 2026-02-17 12:23:12 +09:00
server.agent-contract.test-harness.ts refactor(channels): dedupe transport and gateway test scaffolds 2026-02-16 14:59:31 +00:00
server.auth-token-gates-http.test.ts perf(test): speed up browser test suites 2026-02-14 14:25:54 +00:00
server.control-server.test-harness.ts refactor(browser): dedupe control-server test harness 2026-02-22 17:54:51 +00:00
server.evaluate-disabled-does-not-block-storage.test.ts test: isolate browser server auth env (evaluate gating) 2026-02-14 20:12:26 +00:00
server.post-tabs-open-profile-unknown-returns-404.test.ts refactor(browser): dedupe control-server test harness 2026-02-22 17:54:51 +00:00
server.ts refactor(browser): share control lifecycle helpers 2026-02-18 17:48:02 +00:00
target-id.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
test-port.ts style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
trash.ts refactor(security): unify secure id paths and guard weak patterns 2026-02-22 10:16:19 +01:00