Summary
lib/server.py sets Access-Control-Allow-Origin: * on every response and ships a permissive do_OPTIONS:
self.send_header("Access-Control-Allow-Origin", "*")
...
def do_OPTIONS(self):
self.send_response(204)
self.send_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
self.send_header("Access-Control-Allow-Headers", "Content-Type")
This means any web page the developer visits in their browser — while the dev server is running on localhost:5050 — can POST arbitrary JSON to /feedback and /mark-seen via fetch().
Repro
While the server is running, a malicious page on any origin can do:
fetch('http://127.0.0.1:5050/feedback', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({comments: [{text: 'attacker-controlled feedback'}]})
})
The preflight passes (wildcard CORS + permitted method + permitted header) and the JSON is appended to inbox.jsonl. The agent then reads this on its next pass and treats it as user feedback — meaning a website can inject content into the agent's working context while the developer browses unrelated tabs.
Suggested fix
- Drop
Access-Control-Allow-Origin: * and the permissive do_OPTIONS
- On POSTs, reject the request if the
Origin header is present and doesn't match this server's Host
- Optional follow-up: validate
Host against a small allowlist (127.0.0.1, localhost) to also defeat DNS rebinding against the loopback server
Summary
lib/server.pysetsAccess-Control-Allow-Origin: *on every response and ships a permissivedo_OPTIONS:This means any web page the developer visits in their browser — while the dev server is running on
localhost:5050— can POST arbitrary JSON to/feedbackand/mark-seenviafetch().Repro
While the server is running, a malicious page on any origin can do:
The preflight passes (wildcard CORS + permitted method + permitted header) and the JSON is appended to
inbox.jsonl. The agent then reads this on its next pass and treats it as user feedback — meaning a website can inject content into the agent's working context while the developer browses unrelated tabs.Suggested fix
Access-Control-Allow-Origin: *and the permissivedo_OPTIONSOriginheader is present and doesn't match this server'sHostHostagainst a small allowlist (127.0.0.1,localhost) to also defeat DNS rebinding against the loopback server