Skip to content

Add additional local URL for safe app origins#7843

Open
TimDaub wants to merge 2 commits into
cowprotocol:developfrom
TimDaub:patch-2
Open

Add additional local URL for safe app origins#7843
TimDaub wants to merge 2 commits into
cowprotocol:developfrom
TimDaub:patch-2

Conversation

@TimDaub

@TimDaub TimDaub commented Jul 10, 2026

Copy link
Copy Markdown

Hi,

the limit to port 4003 on the iframe is sadly breaking our e2e test suite and we would like to not spend a whole lot of time switching all the tests now from one port to another port. So my idea would be that we just also hard code the port that we've been using historically to run our tests. We've already tried to change the test's port but it's taking longer than expected, so it feels like just adding one more URL is more efficient

Summary by CodeRabbit

  • Bug Fixes
    • Improved local development support by allowing safe app iframe access from both supported localhost addresses.

@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

@TimDaub is attempting to deploy a commit to the cow-dev Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


1 out of 2 committers have signed the CLA.
✅ (fairlighteth)[https://github.com/fairlighteth]
@TimDaub
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The Safe iframe origin allowlist now accepts both http://localhost:4003 and http://localhost:8080, while retaining the existing Safe app and preview origins.

Changes

Safe iframe origin validation

Layer / File(s) Summary
Expand localhost origin allowlist
libs/common-utils/src/getIsSafeAppIframe.ts
Adds separate localhost origins for ports 4003 and 8080 to SAFE_SUPPORTED_ORIGINS.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

Suggested reviewers: fairlighteth, limitofzero, elena-zh

Poem

A rabbit hops through ports anew,
Four-oh-three and eight-oh-eight-oh too.
The iframe guards now know the way,
Safe origins welcome both today.
Nibble, merge, and softly sway!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description explains the change, but it misses the required Summary/To Test sections and the template structure. Rewrite it using the template: add a Summary section, a To Test checklist with verification steps, and a brief Background if needed.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly reflects the main change: adding another local URL origin for safe app support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
libs/common-utils/src/getIsSafeAppIframe.ts (1)

11-12: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Prefer descriptive constant names that include the port.

SAFE_APP_LOCAL_URL1/SAFE_APP_LOCAL_URL2 don't convey which port each represents. Including the port in the name makes the allowlist self-documenting.

♻️ Optional naming refactor
-const SAFE_APP_LOCAL_URL1 = 'http://localhost:4003'
-const SAFE_APP_LOCAL_URL2 = 'http://localhost:8080'
-const SAFE_SUPPORTED_ORIGINS = [SAFE_APP_ORIGIN, ...SAFE_APP_PREVIEW_URLS, SAFE_APP_LOCAL_URL1, SAFE_APP_LOCAL_URL2].map(
+const SAFE_APP_LOCAL_URL_4003 = 'http://localhost:4003'
+const SAFE_APP_LOCAL_URL_8080 = 'http://localhost:8080'
+const SAFE_SUPPORTED_ORIGINS = [SAFE_APP_ORIGIN, ...SAFE_APP_PREVIEW_URLS, SAFE_APP_LOCAL_URL_4003, SAFE_APP_LOCAL_URL_8080].map(
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@libs/common-utils/src/getIsSafeAppIframe.ts` around lines 11 - 12, Rename
SAFE_APP_LOCAL_URL1 and SAFE_APP_LOCAL_URL2 to descriptive constants that
include their respective ports, and update all references in getIsSafeAppIframe
accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@libs/common-utils/src/getIsSafeAppIframe.ts`:
- Around line 11-13: Add a positive test case for http://localhost:8080 in the
existing getIsSafeAppIframe test suite, alongside the http://localhost:4003
case, verifying it returns true and ensuring the new SAFE_APP_LOCAL_URL2 origin
is covered.

---

Nitpick comments:
In `@libs/common-utils/src/getIsSafeAppIframe.ts`:
- Around line 11-12: Rename SAFE_APP_LOCAL_URL1 and SAFE_APP_LOCAL_URL2 to
descriptive constants that include their respective ports, and update all
references in getIsSafeAppIframe accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 29c8a20d-a06a-423f-8dfc-6b4f0a1fd39a

📥 Commits

Reviewing files that changed from the base of the PR and between 8ab088d and c9fdc62.

📒 Files selected for processing (1)
  • libs/common-utils/src/getIsSafeAppIframe.ts

Comment on lines +11 to +13
const SAFE_APP_LOCAL_URL1 = 'http://localhost:4003'
const SAFE_APP_LOCAL_URL2 = 'http://localhost:8080'
const SAFE_SUPPORTED_ORIGINS = [SAFE_APP_ORIGIN, ...SAFE_APP_PREVIEW_URLS, SAFE_APP_LOCAL_URL1, SAFE_APP_LOCAL_URL2].map(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Add test coverage for the new localhost:8080 origin.

The existing test file (libs/common-utils/src/getIsSafeAppIframe.test.ts) explicitly enumerates http://localhost:4003 in the "returns true" cases but does not include http://localhost:8080. Without a test, a future regression that drops the new origin would go unnoticed.

💚 Proposed test addition
   it.each([
     ['https://app.safe.global'],
     ['https://safe-wallet-monorepo-cowswap-web.vercel.app'],
     ['https://safe-wallet-web.dev.5afe.dev'],
     ['https://safe-wallet-web.staging.5afe.dev'],
     ['https://pr-123.review.5afe.dev'],
     ['http://localhost:4003'],
+    ['http://localhost:8080'],
   ])('returns true for supported Safe parent origin %s', (origin) => {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@libs/common-utils/src/getIsSafeAppIframe.ts` around lines 11 - 13, Add a
positive test case for http://localhost:8080 in the existing getIsSafeAppIframe
test suite, alongside the http://localhost:4003 case, verifying it returns true
and ensuring the new SAFE_APP_LOCAL_URL2 origin is covered.

@elena-zh elena-zh requested a review from a team July 10, 2026 11:51

@fairlighteth fairlighteth left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ AI Review (Codex GPT-5, worked 9m18s): localhost:8080 misclassifies ordinary widget hosts as Safe

Finding: [BLOCKING] Scope localhost:8080 to the Safe test harness

  • Location: libs/common-utils/src/getIsSafeAppIframe.ts:12
  • This one is important: any ordinary dapp served from http://localhost:8080 that embeds the CoW widget now makes getIsSafeAppIframe() return true.
  • This registers and auto-connects the Safe connector, while the widget updaters skip normal widget-connector handling. A non-Safe host cannot answer Safe SDK requests, leaving the wallet flow unusable.
  • PR #7784 encountered this exact regression with localhost:3000, causing 39 Cypress ProviderNotFoundError failures before the origin was removed.
  • Safe PR #8283 confirms Playwright still needs port 8080, so support should be preserved through a Safe-specific signal rather than trusting the generic parent port globally.

Suggested fix

  • Require an explicit Safe test opt-in/handshake or similarly scoped signal for local origins.
  • Add positive coverage for the Safe :8080 harness and negative connector/updater coverage for an ordinary widget host on :8080.
Review scope and related context
  • CodeRabbit already covers the missing positive :8080 unit case and port-specific constant naming; those are not repeated here.
  • No CoW-owned dev server currently uses :8080; the regression affects external/local widget integrators.
  • Malformed and lookalike origins still fail closed. No separate security vulnerability was verified.
  • The existing targeted helper suite passes 13/13 but does not exercise the new origin.
🤖 Prompt for AI agents
Verify this finding against the current PR head.

Context:
- libs/common-utils/src/getIsSafeAppIframe.ts trusts any parent at http://localhost:8080.
- Wallet configuration consequently registers and auto-connects Safe.
- Ordinary CoW widget hosts on that port do not implement the Safe SDK.
- PR #7784 removed localhost:3000 after the same classification caused 39 Cypress failures.

Fix:
- Preserve the Safe Playwright harness through an explicit Safe-specific opt-in or handshake.
- Do not use a generic localhost port as the sole Safe identity.
- Test both the legitimate Safe :8080 case and an ordinary widget host on :8080.

Generated using the pr-review skill from the CoW Protocol skills repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants