Skip to content

Add "Disable browser WebSecurity" toggle to the preview browser#3766

Open
akarabach wants to merge 4 commits into
pingdotgg:mainfrom
akarabach:preview-disable-web-security
Open

Add "Disable browser WebSecurity" toggle to the preview browser#3766
akarabach wants to merge 4 commits into
pingdotgg:mainfrom
akarabach:preview-disable-web-security

Conversation

@akarabach

@akarabach akarabach commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

What & why

Adds the ability to run t3code's built-in preview browser with web security (the same-origin policy / CORS) disabled — the embedded-browser equivalent of launching Chrome with --disable-web-security. This is a local-development escape hatch for previewing pages that make cross-origin requests to APIs without CORS headers.

t3code's preview is an embedded Electron <webview> (in-process Chromium), not a launched browser, so this is delivered via Electron's per-guest disablewebsecurity attribute rather than a browser binary/flags.

Changes

  • packages/contracts/src/settings.ts — new client setting previewDisableWebSecurity (boolean, default false) in ClientSettingsSchema + ClientSettingsPatch. Persists to client-settings.json via existing patch routing.
  • apps/web/src/browser/HostedBrowserWebview.tsx — renders the disablewebsecurity attribute on the preview <webview> when enabled. The value is captured once per webview creation (Electron only reads it at guest attach) and rendered as a JSX attribute (like partition/webpreferences) so it's present before the guest attaches.
  • apps/web/src/components/preview/PreviewMoreMenu.tsx — a "Disable web security (CORS)" checkbox in the preview browser's three-dot menu, with a toast noting it applies to newly opened tabs.
  • apps/desktop/src/settings/DesktopClientSettings.test.ts — updates the round-trip ClientSettings fixture for the new field.

Behavior notes

  • Off by default; opt-in and persisted per machine.
  • Applies to preview tabs opened after toggling — Electron can't change web security on an already-attached guest, so existing tabs keep their mode until reopened.
  • Security posture is otherwise unchanged: sandbox/nodeIntegration/contextIsolation remain force-enforced by the will-attach-webview handler; only same-origin/CORS inside the guest is relaxed, and only on opt-in.
  • Also applies to agent-driven preview_* automation, since it uses the same webviews.

Testing

  • Typecheck + unit tests pass for @t3tools/contracts, @t3tools/web, and @t3tools/desktop; repo lint clean (no new warnings).
  • Manually verified in the desktop dev build: toggling the menu item and opening a new preview tab enables/disables cross-origin fetch(); the setting survives app restart.

Note on the "true" as unknown as boolean cast in HostedBrowserWebview.tsx: disablewebsecurity is unknown to react-dom's runtime attribute registry, so React drops boolean values for it — the attribute must be a string to render, while React's types declare the prop as boolean. The cast is type-only; the runtime value stays the string "true", which Electron treats as presence.


Note

Medium Risk
Opt-in relaxation of same-origin/CORS in preview guests is intentional for dev, but it weakens browser security for users who enable it; attach-time freezing limits blast radius to tabs opened after the toggle.

Overview
Adds an opt-in Disable browser WebSecurity control for the desktop preview’s embedded Electron <webview>, so local previews can bypass same-origin/CORS like Chrome’s --disable-web-security.

A new persisted client setting previewDisableWebSecurity (default false) is wired through contracts and the desktop settings test fixture. The preview More menu gets a switch that updates the setting and shows a toast that only newly opened tabs pick up the change.

HostedBrowserWebview waits for client-settings hydration, snapshots the flag once per webview (Electron reads disablewebsecurity only at guest attach), and conditionally sets that attribute on the <webview> before mount.

Reviewed by Cursor Bugbot for commit 07e7755. Bugbot is set up for automated code reviews on this repo. Configure here.

Note

Add "Disable browser WebSecurity" toggle to the preview browser

  • Adds a previewDisableWebSecurity boolean field to ClientSettingsSchema and ClientSettingsPatch in settings.ts, defaulting to false.
  • Adds a "Disable browser WebSecurity" checkbox to PreviewMoreMenu.tsx that persists the setting and shows a toast confirming the change.
  • In HostedBrowserWebview.tsx, the <webview> element conditionally sets the disablewebsecurity Electron attribute based on the hydrated setting; rendering is deferred until settings hydration resolves.
  • Risk: disabling WebSecurity applies only to tabs opened after the toggle is changed, not existing ones.

Macroscope summarized 07e7755.

Adds a per-machine client setting, previewDisableWebSecurity (default off),
surfaced as a checkbox in the preview browser's three-dot menu. When enabled,
preview <webview> tags render Electron's disablewebsecurity attribute, turning
off the same-origin policy inside the guest page — the embedded-browser
equivalent of Chrome's --disable-web-security. Applies to preview tabs opened
after toggling.
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1d923310-125a-41bb-b1aa-009684ef026b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added vouch:unvouched PR author is not yet trusted in the VOUCHED list. size:M 30-99 changed lines (additions + deletions). labels Jul 7, 2026
Comment thread apps/web/src/browser/HostedBrowserWebview.tsx Outdated
@akarabach akarabach changed the title Add preview browser toggle to disable web security (CORS) Add "Disable browser WebSecurity" toggle to the preview browser Jul 7, 2026
@macroscopeapp

macroscopeapp Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Approvability

Verdict: Needs human review

This PR adds a security-related feature (disabling web security/CORS for preview browsers). Security-affecting changes warrant human review. Additionally, an unresolved high-severity comment identifies a potential bug with webview registration timing.

You can customize Macroscope's approvability policy. Learn more.

Comment thread apps/web/src/browser/HostedBrowserWebview.tsx Outdated
Gate the frozen disableWebSecurity value on client-settings hydration so a
preview webview mounted during startup/session-restore reads the persisted
setting instead of the default false snapshot. Subscribing via
useClientSettingsHydrated both triggers hydration and re-renders on completion;
the webview render is held until the value is frozen.

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit b0042ad. Configure here.

const [disableWebSecurity, setDisableWebSecurity] = useState<boolean | null>(null);
if (disableWebSecurity === null && settingsHydrated) {
setDisableWebSecurity(getClientSettings().previewDisableWebSecurity);
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Webview registration skipped after delay

High Severity

The webview now waits for client settings hydration before rendering. This means the registerWebview effect, whose dependencies (config, tabId) don't track the webview's presence, can run when the element is absent and not re-run when it appears. This prevents registerWebview and its listeners from attaching, breaking navigation and desktopOverlay.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit b0042ad. Configure here.

Use MenuCheckboxItem's switch variant so the toggle shows an always-visible
on/off switch instead of a checkmark-only-when-checked row, and keep the menu
open on toggle so it animates in place.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:M 30-99 changed lines (additions + deletions). vouch:unvouched PR author is not yet trusted in the VOUCHED list.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant