Add "Disable browser WebSecurity" toggle to the preview browser#3766
Add "Disable browser WebSecurity" toggle to the preview browser#3766akarabach wants to merge 4 commits into
Conversation
Adds a per-machine client setting, previewDisableWebSecurity (default off), surfaced as a checkbox in the preview browser's three-dot menu. When enabled, preview <webview> tags render Electron's disablewebsecurity attribute, turning off the same-origin policy inside the guest page — the embedded-browser equivalent of Chrome's --disable-web-security. Applies to preview tabs opened after toggling.
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ApprovabilityVerdict: Needs human review This PR adds a security-related feature (disabling web security/CORS for preview browsers). Security-affecting changes warrant human review. Additionally, an unresolved high-severity comment identifies a potential bug with webview registration timing. You can customize Macroscope's approvability policy. Learn more. |
Gate the frozen disableWebSecurity value on client-settings hydration so a preview webview mounted during startup/session-restore reads the persisted setting instead of the default false snapshot. Subscribing via useClientSettingsHydrated both triggers hydration and re-renders on completion; the webview render is held until the value is frozen.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b0042ad. Configure here.
| const [disableWebSecurity, setDisableWebSecurity] = useState<boolean | null>(null); | ||
| if (disableWebSecurity === null && settingsHydrated) { | ||
| setDisableWebSecurity(getClientSettings().previewDisableWebSecurity); | ||
| } |
There was a problem hiding this comment.
Webview registration skipped after delay
High Severity
The webview now waits for client settings hydration before rendering. This means the registerWebview effect, whose dependencies (config, tabId) don't track the webview's presence, can run when the element is absent and not re-run when it appears. This prevents registerWebview and its listeners from attaching, breaking navigation and desktopOverlay.
Reviewed by Cursor Bugbot for commit b0042ad. Configure here.
Use MenuCheckboxItem's switch variant so the toggle shows an always-visible on/off switch instead of a checkmark-only-when-checked row, and keep the menu open on toggle so it animates in place.


What & why
Adds the ability to run t3code's built-in preview browser with web security (the same-origin policy / CORS) disabled — the embedded-browser equivalent of launching Chrome with
--disable-web-security. This is a local-development escape hatch for previewing pages that make cross-origin requests to APIs without CORS headers.t3code's preview is an embedded Electron
<webview>(in-process Chromium), not a launched browser, so this is delivered via Electron's per-guestdisablewebsecurityattribute rather than a browser binary/flags.Changes
packages/contracts/src/settings.ts— new client settingpreviewDisableWebSecurity(boolean, defaultfalse) inClientSettingsSchema+ClientSettingsPatch. Persists toclient-settings.jsonvia existing patch routing.apps/web/src/browser/HostedBrowserWebview.tsx— renders thedisablewebsecurityattribute on the preview<webview>when enabled. The value is captured once per webview creation (Electron only reads it at guest attach) and rendered as a JSX attribute (likepartition/webpreferences) so it's present before the guest attaches.apps/web/src/components/preview/PreviewMoreMenu.tsx— a "Disable web security (CORS)" checkbox in the preview browser's three-dot menu, with a toast noting it applies to newly opened tabs.apps/desktop/src/settings/DesktopClientSettings.test.ts— updates the round-tripClientSettingsfixture for the new field.Behavior notes
sandbox/nodeIntegration/contextIsolationremain force-enforced by thewill-attach-webviewhandler; only same-origin/CORS inside the guest is relaxed, and only on opt-in.preview_*automation, since it uses the same webviews.Testing
@t3tools/contracts,@t3tools/web, and@t3tools/desktop; repo lint clean (no new warnings).fetch(); the setting survives app restart.Note
Medium Risk
Opt-in relaxation of same-origin/CORS in preview guests is intentional for dev, but it weakens browser security for users who enable it; attach-time freezing limits blast radius to tabs opened after the toggle.
Overview
Adds an opt-in Disable browser WebSecurity control for the desktop preview’s embedded Electron
<webview>, so local previews can bypass same-origin/CORS like Chrome’s--disable-web-security.A new persisted client setting
previewDisableWebSecurity(defaultfalse) is wired through contracts and the desktop settings test fixture. The preview More menu gets a switch that updates the setting and shows a toast that only newly opened tabs pick up the change.HostedBrowserWebviewwaits for client-settings hydration, snapshots the flag once per webview (Electron readsdisablewebsecurityonly at guest attach), and conditionally sets that attribute on the<webview>before mount.Reviewed by Cursor Bugbot for commit 07e7755. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Add "Disable browser WebSecurity" toggle to the preview browser
previewDisableWebSecurityboolean field toClientSettingsSchemaandClientSettingsPatchin settings.ts, defaulting tofalse.<webview>element conditionally sets thedisablewebsecurityElectron attribute based on the hydrated setting; rendering is deferred until settings hydration resolves.Macroscope summarized 07e7755.