Skip to content

Security: wildcard CORS allows cross-origin POSTs to /feedback (CSRF) #3

Description

@companygardener

Summary

lib/server.py sets Access-Control-Allow-Origin: * on every response and ships a permissive do_OPTIONS:

self.send_header("Access-Control-Allow-Origin", "*")
...
def do_OPTIONS(self):
    self.send_response(204)
    self.send_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
    self.send_header("Access-Control-Allow-Headers", "Content-Type")

This means any web page the developer visits in their browser — while the dev server is running on localhost:5050 — can POST arbitrary JSON to /feedback and /mark-seen via fetch().

Repro

While the server is running, a malicious page on any origin can do:

fetch('http://127.0.0.1:5050/feedback', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({comments: [{text: 'attacker-controlled feedback'}]})
})

The preflight passes (wildcard CORS + permitted method + permitted header) and the JSON is appended to inbox.jsonl. The agent then reads this on its next pass and treats it as user feedback — meaning a website can inject content into the agent's working context while the developer browses unrelated tabs.

Suggested fix

  • Drop Access-Control-Allow-Origin: * and the permissive do_OPTIONS
  • On POSTs, reject the request if the Origin header is present and doesn't match this server's Host
  • Optional follow-up: validate Host against a small allowlist (127.0.0.1, localhost) to also defeat DNS rebinding against the loopback server

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions