From e17786c2e34699130b7e91e6b0d1fd60936b1c57 Mon Sep 17 00:00:00 2001 From: openhands Date: Sat, 20 Dec 2025 11:36:33 +0000 Subject: [PATCH] Fix CORS to allow DOCKER_HOST_ADDR for remote browser access When accessing OpenHands from a remote browser, CORS blocks requests from the main app (e.g., http://192.168.1.206:3000) to agent-server containers because the middleware only allowed localhost/127.0.0.1. This adds support for the DOCKER_HOST_ADDR environment variable, allowing the agent-server to accept requests from the server's actual IP address. Co-authored-by: openhands --- .../openhands/agent_server/middleware.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openhands-agent-server/openhands/agent_server/middleware.py b/openhands-agent-server/openhands/agent_server/middleware.py index 2de4309c05..57f649bb55 100644 --- a/openhands-agent-server/openhands/agent_server/middleware.py +++ b/openhands-agent-server/openhands/agent_server/middleware.py @@ -1,3 +1,4 @@ +import os from urllib.parse import urlparse from fastapi.middleware.cors import CORSMiddleware @@ -6,7 +7,7 @@ class LocalhostCORSMiddleware(CORSMiddleware): """Custom CORS middleware that allows any request from localhost/127.0.0.1 domains, - while using standard CORS rules for other origins. + as well as the DOCKER_HOST_ADDR IP, while using standard CORS rules for other origins. """ def __init__(self, app: ASGIApp, allow_origins: list[str]) -> None: @@ -27,6 +28,11 @@ def is_allowed_origin(self, origin: str) -> bool: if hostname in ["localhost", "127.0.0.1"]: return True + # Also allow DOCKER_HOST_ADDR if set (for remote browser access) + docker_host_addr = os.environ.get("DOCKER_HOST_ADDR") + if docker_host_addr and hostname == docker_host_addr: + return True + # For missing origin or other origins, use the parent class's logic result: bool = super().is_allowed_origin(origin) return result