Skip to content

Commit de85300

Browse files
committed
fix(dev): restrict default CORS origins and WebSocket allowed origins to localhost
The dev server defaulted to a wildcard CORS policy (Access-Control-Allow-Origin: *) and registered the /run_live WebSocket endpoint with setAllowedOrigins("*"). Any page loaded from an arbitrary origin could therefore read HTTP responses and complete a cross-origin WebSocket handshake against a locally running dev server, giving a remote site read and drive access to the agent. - AdkWebCorsProperties: change the default allowed-origins fallback from ["*"] to ["http://localhost:8080", "http://127.0.0.1:8080"] so the dev UI keeps working out of the box while all other origins are rejected by the browser. - WebSocketConfig: inject AdkWebCorsProperties and derive the WebSocket allowed-origins list from the same property, eliminating the separate hardcoded wildcard and keeping both policies in sync. Users who need a broader allowlist can set adk.web.cors.origins explicitly.
1 parent cc3b9ce commit de85300

2 files changed

Lines changed: 12 additions & 3 deletions

File tree

dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,10 @@ public record AdkWebCorsProperties(
3434

3535
public AdkWebCorsProperties {
3636
mapping = mapping != null ? mapping : "/**";
37-
origins = origins != null && !origins.isEmpty() ? origins : List.of("*");
37+
origins =
38+
origins != null && !origins.isEmpty()
39+
? origins
40+
: List.of("http://localhost:8080", "http://127.0.0.1:8080");
3841
methods =
3942
methods != null && !methods.isEmpty()
4043
? methods

dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616

1717
package com.google.adk.web.websocket;
1818

19+
import com.google.adk.web.config.AdkWebCorsProperties;
1920
import org.springframework.beans.factory.annotation.Autowired;
2021
import org.springframework.context.annotation.Configuration;
2122
import org.springframework.web.socket.config.annotation.EnableWebSocket;
@@ -28,14 +29,19 @@
2829
public class WebSocketConfig implements WebSocketConfigurer {
2930

3031
private final LiveWebSocketHandler liveWebSocketHandler;
32+
private final AdkWebCorsProperties corsProperties;
3133

3234
@Autowired
33-
public WebSocketConfig(LiveWebSocketHandler liveWebSocketHandler) {
35+
public WebSocketConfig(
36+
LiveWebSocketHandler liveWebSocketHandler, AdkWebCorsProperties corsProperties) {
3437
this.liveWebSocketHandler = liveWebSocketHandler;
38+
this.corsProperties = corsProperties;
3539
}
3640

3741
@Override
3842
public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
39-
registry.addHandler(liveWebSocketHandler, "/run_live").setAllowedOrigins("*");
43+
registry
44+
.addHandler(liveWebSocketHandler, "/run_live")
45+
.setAllowedOrigins(corsProperties.origins().toArray(new String[0]));
4046
}
4147
}

0 commit comments

Comments
 (0)