6 Commits

Author SHA1 Message Date
Tommy D. Rossi 86e7f7d861 Update remote-access.md 2026-02-26 21:18:43 +01:00
Tommy D. Rossi f87b0243cd format 2026-02-22 15:21:38 +01:00
Tommy D. Rossi 539aeaac91 rename accessibilitySnapshot to snapshot for shorter agent usage
The function is now exposed as `snapshot()` in the executor sandbox scope.
`accessibilitySnapshot` remains as a backward-compatible alias pointing to
the same function, so existing agents and saved commands continue to work.

Updated all code examples across skill.md, README, PLAYWRITER_AGENTS,
docs, tests, and the extension welcome page to use the shorter name.
2026-02-18 17:13:57 +01:00
Tommy D. Rossi 05700fa53b release: playwriter@0.0.63
Security hardening for privileged HTTP routes (/cli/*, /recording/*).

- Block cross-origin browser requests via Sec-Fetch-Site header validation (browsers always set this forbidden header; Node.js/curl clients don't send it, so they're unaffected)
- Reject POST requests without Content-Type: application/json to prevent the CORS simple-request bypass (text/plain POST skips CORS preflight entirely)
- Enforce token authentication on /cli/* and /recording/* when --token is set (remote access mode), matching the behavior documented in remote-access.md
- Update remote-access.md to clarify which routes require token auth
- Add security regression tests covering all attack vectors: Sec-Fetch-Site blocking, Content-Type enforcement, token validation, and Node.js client pass-through
2026-02-17 15:54:39 +01:00
Tommy D. Rossi ce775c06f6 fix: hide frontmatter in remote-access doc from GitHub rendering 2026-02-16 11:32:12 +01:00
Tommy D. Rossi fa68e33a78 feat: support HTTPS URLs in PLAYWRITER_HOST + remote access guide
PLAYWRITER_HOST now accepts full URLs like `https://x-tunnel.traforo.dev`
in addition to plain hostnames. Previously it always constructed
`http://${host}:19988` which broke when using traforo tunnels (HTTPS on
port 443).

Added `parseRelayHost()` utility that detects URL protocols and returns
correct HTTP/WebSocket base URLs. Updated all consumers:
- cli.ts: getServerUrl()
- mcp.ts: getLogServerUrl(), checkRemoteServer()
- executor.ts: checkExtensionStatus()
- utils.ts: getCdpUrl() (ws:// → wss:// for HTTPS hosts)

Plain hostnames still work as before (appends :19988).

Added docs/remote-access.md covering:
- Architecture: playwriter serve + traforo tunnel through Cloudflare
- Host and remote machine setup with env vars
- Use cases: remote Mac mini, user support, multi-machine, VM/devcontainer
- Security model: non-guessable URLs, token auth, localhost-only extension
  endpoint, no open ports, visible automation, instant revocation
2026-02-14 16:31:04 +01:00