Fix CORS to allow DOCKER_HOST_ADDR for remote browser access #1466
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When accessing OpenHands from a remote browser, CORS blocks requests from the main app (e.g., http://192.168.1.206:3000) to agent-server containers because the middleware only allowed localhost/127.0.0.1. This adds support for the DOCKER_HOST_ADDR environment variable, allowing the agent-server to accept requests from the server's actual IP address. Co-authored-by: openhands <openhands@all-hands.dev>
Contributor
|
[Automatic Post]: I have assigned @xingyaoww as a reviewer based on git blame information. Thanks in advance for the help! |
Contributor
|
[Automatic Post]: This PR seems to be currently waiting for review. @xingyaoww, could you please take a look when you have a chance? |
Collaborator
|
[Automatic Post]: It has been a while since there was any activity on this PR. @shanemort1982, are you still working on it? If so, please go ahead, if not then please request review, close it, or request that someone else follow up. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fixes CORS errors when accessing OpenHands from a remote browser.
Problem
When accessing OpenHands from a remote machine, the browser shows CORS errors:
The main OpenHands app runs on
http://192.168.1.206:3000, but when it makes requests to agent-server containers (on different ports), theLocalhostCORSMiddlewareblocks them because it only allowslocalhostand127.0.0.1.Root Cause
The
LocalhostCORSMiddlewareinmiddleware.pyonly checks for localhost/127.0.0.1 origins. When OpenHands is accessed via a server IP (e.g.,192.168.1.206), cross-origin requests from the main app to agent-server containers are blocked.Solution
This PR adds support for the
DOCKER_HOST_ADDRenvironment variable to the CORS middleware. When set, the middleware will also allow requests from that IP address.Changes
openhands-agent-server/openhands/agent_server/middleware.pyosand check forDOCKER_HOST_ADDR(lines 1, 31-34)Testing
Tested with:
http://192.168.1.206:3000DOCKER_HOST_ADDR=192.168.1.206Before this fix: CORS errors block API requests from main app to agent-server
After this fix: Requests from
192.168.1.206:3000to agent-server allowedRelated Issues
Backward Compatibility
DOCKER_HOST_ADDRis not set, behavior is unchangedSecurity Note
This change only allows cross-origin requests from the IP specified in
DOCKER_HOST_ADDR. The middleware still: