Add additional local URL for safe app origins#7843
Conversation
|
@TimDaub is attempting to deploy a commit to the cow-dev Team on Vercel. A member of the Team first needs to authorize it. |
|
I have read the CLA Document and I hereby sign the CLA 1 out of 2 committers have signed the CLA. |
WalkthroughThe Safe iframe origin allowlist now accepts both ChangesSafe iframe origin validation
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
libs/common-utils/src/getIsSafeAppIframe.ts (1)
11-12: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valuePrefer descriptive constant names that include the port.
SAFE_APP_LOCAL_URL1/SAFE_APP_LOCAL_URL2don't convey which port each represents. Including the port in the name makes the allowlist self-documenting.♻️ Optional naming refactor
-const SAFE_APP_LOCAL_URL1 = 'http://localhost:4003' -const SAFE_APP_LOCAL_URL2 = 'http://localhost:8080' -const SAFE_SUPPORTED_ORIGINS = [SAFE_APP_ORIGIN, ...SAFE_APP_PREVIEW_URLS, SAFE_APP_LOCAL_URL1, SAFE_APP_LOCAL_URL2].map( +const SAFE_APP_LOCAL_URL_4003 = 'http://localhost:4003' +const SAFE_APP_LOCAL_URL_8080 = 'http://localhost:8080' +const SAFE_SUPPORTED_ORIGINS = [SAFE_APP_ORIGIN, ...SAFE_APP_PREVIEW_URLS, SAFE_APP_LOCAL_URL_4003, SAFE_APP_LOCAL_URL_8080].map(🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@libs/common-utils/src/getIsSafeAppIframe.ts` around lines 11 - 12, Rename SAFE_APP_LOCAL_URL1 and SAFE_APP_LOCAL_URL2 to descriptive constants that include their respective ports, and update all references in getIsSafeAppIframe accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@libs/common-utils/src/getIsSafeAppIframe.ts`:
- Around line 11-13: Add a positive test case for http://localhost:8080 in the
existing getIsSafeAppIframe test suite, alongside the http://localhost:4003
case, verifying it returns true and ensuring the new SAFE_APP_LOCAL_URL2 origin
is covered.
---
Nitpick comments:
In `@libs/common-utils/src/getIsSafeAppIframe.ts`:
- Around line 11-12: Rename SAFE_APP_LOCAL_URL1 and SAFE_APP_LOCAL_URL2 to
descriptive constants that include their respective ports, and update all
references in getIsSafeAppIframe accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 29c8a20d-a06a-423f-8dfc-6b4f0a1fd39a
📒 Files selected for processing (1)
libs/common-utils/src/getIsSafeAppIframe.ts
| const SAFE_APP_LOCAL_URL1 = 'http://localhost:4003' | ||
| const SAFE_APP_LOCAL_URL2 = 'http://localhost:8080' | ||
| const SAFE_SUPPORTED_ORIGINS = [SAFE_APP_ORIGIN, ...SAFE_APP_PREVIEW_URLS, SAFE_APP_LOCAL_URL1, SAFE_APP_LOCAL_URL2].map( |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Add test coverage for the new localhost:8080 origin.
The existing test file (libs/common-utils/src/getIsSafeAppIframe.test.ts) explicitly enumerates http://localhost:4003 in the "returns true" cases but does not include http://localhost:8080. Without a test, a future regression that drops the new origin would go unnoticed.
💚 Proposed test addition
it.each([
['https://app.safe.global'],
['https://safe-wallet-monorepo-cowswap-web.vercel.app'],
['https://safe-wallet-web.dev.5afe.dev'],
['https://safe-wallet-web.staging.5afe.dev'],
['https://pr-123.review.5afe.dev'],
['http://localhost:4003'],
+ ['http://localhost:8080'],
])('returns true for supported Safe parent origin %s', (origin) => {🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@libs/common-utils/src/getIsSafeAppIframe.ts` around lines 11 - 13, Add a
positive test case for http://localhost:8080 in the existing getIsSafeAppIframe
test suite, alongside the http://localhost:4003 case, verifying it returns true
and ensuring the new SAFE_APP_LOCAL_URL2 origin is covered.
fairlighteth
left a comment
There was a problem hiding this comment.
⚠️ AI Review (Codex GPT-5, worked 9m18s): localhost:8080 misclassifies ordinary widget hosts as Safe
Finding: [BLOCKING] Scope localhost:8080 to the Safe test harness
- Location:
libs/common-utils/src/getIsSafeAppIframe.ts:12 - This one is important: any ordinary dapp served from
http://localhost:8080that embeds the CoW widget now makesgetIsSafeAppIframe()returntrue. - This registers and auto-connects the Safe connector, while the widget updaters skip normal widget-connector handling. A non-Safe host cannot answer Safe SDK requests, leaving the wallet flow unusable.
- PR #7784 encountered this exact regression with
localhost:3000, causing 39 CypressProviderNotFoundErrorfailures before the origin was removed. - Safe PR #8283 confirms Playwright still needs port
8080, so support should be preserved through a Safe-specific signal rather than trusting the generic parent port globally.
Suggested fix
- Require an explicit Safe test opt-in/handshake or similarly scoped signal for local origins.
- Add positive coverage for the Safe
:8080harness and negative connector/updater coverage for an ordinary widget host on:8080.
Review scope and related context
- CodeRabbit already covers the missing positive
:8080unit case and port-specific constant naming; those are not repeated here. - No CoW-owned dev server currently uses
:8080; the regression affects external/local widget integrators. - Malformed and lookalike origins still fail closed. No separate security vulnerability was verified.
- The existing targeted helper suite passes 13/13 but does not exercise the new origin.
🤖 Prompt for AI agents
Verify this finding against the current PR head.
Context:
- libs/common-utils/src/getIsSafeAppIframe.ts trusts any parent at http://localhost:8080.
- Wallet configuration consequently registers and auto-connects Safe.
- Ordinary CoW widget hosts on that port do not implement the Safe SDK.
- PR #7784 removed localhost:3000 after the same classification caused 39 Cypress failures.
Fix:
- Preserve the Safe Playwright harness through an explicit Safe-specific opt-in or handshake.
- Do not use a generic localhost port as the sole Safe identity.
- Test both the legitimate Safe :8080 case and an ordinary widget host on :8080.
Generated using the pr-review skill from the CoW Protocol skills repo.
Hi,
the limit to port 4003 on the iframe is sadly breaking our e2e test suite and we would like to not spend a whole lot of time switching all the tests now from one port to another port. So my idea would be that we just also hard code the port that we've been using historically to run our tests. We've already tried to change the test's port but it's taking longer than expected, so it feels like just adding one more URL is more efficient
Summary by CodeRabbit