fix(security): block cross-origin mutations on loopback browser routes

2026-05-09 01:08:28 +00:00 · 2026-02-14 15:40:56 +01:00
parent 1f1fc095a0
commit b566b09f81
4 changed files with 167 additions and 0 deletions
--- a/src/browser/server.ts
+++ b/src/browser/server.ts
@@ -5,6 +5,7 @@ import { loadConfig } from "../config/config.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import { resolveBrowserConfig, resolveProfile } from "./config.js";
 import { ensureBrowserControlAuth, resolveBrowserControlAuth } from "./control-auth.js";
+import { browserMutationGuardMiddleware } from "./csrf.js";
 import { ensureChromeExtensionRelayServer } from "./extension-relay.js";
 import { isAuthorizedBrowserRequest } from "./http-auth.js";
 import { isPwAiLoaded } from "./pw-ai-state.js";
@@ -56,6 +57,7 @@ export async function startBrowserControlServerFromConfig(): Promise<BrowserServ
    next();
  });
  app.use(express.json({ limit: "1mb" }));
+  app.use(browserMutationGuardMiddleware());

  if (browserAuth.token || browserAuth.password) {
    app.use((req, res, next) => {