codex

mirror of https://github.com/openai/codex.git synced 2026-05-30 07:50:17 +00:00

Files

viyatb-oai a027135bc6 fix(exec-server): reject websocket requests with Origin headers (#24947 )

## Why

`codex exec-server` has a local WebSocket listener, but it did not apply
the same browser-origin request handling as the `app-server` WebSocket
transport. Requests that carry an `Origin` header should not be upgraded
by this local transport, keeping both local WebSocket servers consistent
and avoiding unexpected browser-initiated connections.

## What changed

- Added an Axum middleware guard in
`codex-rs/exec-server/src/server/transport.rs` that returns `403
Forbidden` for requests carrying an `Origin` header.
- Added an integration test in `codex-rs/exec-server/tests/websocket.rs`
that covers rejection of an `Origin`-bearing WebSocket handshake.
- Kept ordinary WebSocket clients unchanged: existing no-`Origin`
initialization and process behavior remains covered by the crate tests.

## Validation

- `just test -p codex-exec-server` test phase (`186 passed`; run outside
the parent macOS sandbox so nested sandbox tests can execute)
- `just clippy -p codex-exec-server`

2026-05-28 14:44:14 -07:00

common

[exec-server] serve websocket listener via HTTP upgrade (#21963 )

2026-05-11 17:04:21 -07:00

exec_process.rs

fix(exec-server): retain output until streams close (#18946 )

2026-04-23 19:49:58 +00:00

file_system.rs

tests: cover sandbox link write behavior (#21819 )

2026-05-09 08:28:15 -07:00

health.rs

[exec-server] serve websocket listener via HTTP upgrade (#21963 )