Skip to content

feat(mcp): support wildcard port in allowedOrigins and blockedOrigins#38944

Merged
yury-s merged 2 commits intomicrosoft:mainfrom
saarya-cyera:fix/mcp-origin-wildcard-port
Feb 3, 2026
Merged

feat(mcp): support wildcard port in allowedOrigins and blockedOrigins#38944
yury-s merged 2 commits intomicrosoft:mainfrom
saarya-cyera:fix/mcp-origin-wildcard-port

Conversation

@saarya-cyera
Copy link
Copy Markdown
Contributor

@saarya-cyera saarya-cyera commented Jan 24, 2026

Summary

Add support for wildcard port syntax like http://localhost:* in the network.allowedOrigins and network.blockedOrigins config options. This allows restricting browser requests to a specific protocol and hostname while accepting any port number.

Fixes microsoft/playwright-mcp#1337

Changes

  • packages/playwright/src/mcp/browser/context.ts: Update originOrHostGlob() to detect wildcard port patterns and generate the correct glob pattern
  • packages/playwright/src/mcp/config.d.ts: Document supported origin formats in JSDoc
  • tests/mcp/request-blocking.spec.ts: Add 4 tests for wildcard port functionality

Problem

Previously, patterns like http://localhost:* would fail to parse as a valid URL, causing the code to fall through to legacy host-only mode and generate an invalid glob pattern like *://http://localhost:*/** which never matches anything.

Solution

Detect wildcard port patterns with regex before attempting URL parsing:

const wildcardPortMatch = originOrHost.match(/^(https?):\/\/([^/:]+):\*$/);
if (wildcardPortMatch) {
  const [, protocol, hostname] = wildcardPortMatch;
  return `${protocol}://${hostname}:*/**`;
}
Input Previous Output New Output
http://localhost:* *://http://localhost:*/** http://localhost:*/**
https://example.com:* *://https://example.com:*/** https://example.com:*/**
http://localhost:8000 http://localhost:8000/** (unchanged)
localhost *://localhost/** (unchanged)

Use Case

This is useful when you want to:

  • Allow only HTTP (not HTTPS) traffic to localhost
  • Allow localhost on any port while blocking other hosts
  • Have more granular control over protocol while keeping port flexibility

@saarya-cyera
feat(mcp): support wildcard port in allowedOrigins and blockedOrigins
6f842bc 
Add support for wildcard port syntax like `http://localhost:*` in the
network.allowedOrigins and network.blockedOrigins config options. This
allows restricting browser requests to a specific protocol and hostname
while accepting any port number.

Previously, patterns like `http://localhost:*` would fail to parse as a
valid URL, causing the code to fall through to legacy host-only mode
and generate an invalid glob pattern like `*://http://localhost:*/**`.

The fix detects wildcard port patterns and generates the correct glob
pattern `http://localhost:*/**` which properly matches any port.
@saarya-cyera saarya-cyera force-pushed the fix/mcp-origin-wildcard-port branch from 7608161 to 6f842bc Compare January 24, 2026 05:35
@saarya-cyera
Copy link
Copy Markdown
Contributor Author

saarya-cyera commented Jan 24, 2026

@microsoft-github-policy-service agree company="Cyera"

yury-s
yury-s reviewed Jan 26, 2026
View reviewed changes
Comment thread packages/playwright/src/mcp/browser/context.ts Outdated
Comment thread packages/playwright/src/mcp/config.d.ts Outdated
Comment thread packages/playwright/src/mcp/config.d.ts Outdated
@github-actions

This comment has been minimized.

Sign in to view
@saarya-cyera saarya-cyera force-pushed the fix/mcp-origin-wildcard-port branch from 18bd274 to 83d9635 Compare January 29, 2026 22:07
@saarya-cyera
Copy link
Copy Markdown
Contributor Author

saarya-cyera commented Feb 2, 2026

@yury-s thanks for the review! I fixed the comments and need another review to merge - would you have a minute to circle back to this? Thanks!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 3, 2026

Test results for "MCP"

4 failed
❌ [chrome] › mcp/cli.spec.ts:496 › session › session-delete named session @mcp-ubuntu-latest
❌ [chrome] › mcp/cli.spec.ts:386 › devtools › video-start-stop @mcp-macos-15
❌ [chromium] › mcp/cli.spec.ts:298 › save as › screenshot --filename @mcp-macos-15
❌ [chromium] › mcp/cli.spec.ts:386 › devtools › video-start-stop @mcp-macos-15

3650 passed, 129 skipped

Merge workflow run.

@yury-s yury-s merged commit e7c89ef into microsoft:main Feb 3, 2026
4 of 6 checks passed
@saarya-cyera
Copy link
Copy Markdown
Contributor Author

saarya-cyera commented Feb 4, 2026

Thanks @yury-s !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yury-s yury-s yury-s approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: MCP --allowed-origins with wildcard port (http://localhost:*) generates invalid glob pattern

2 participants

@saarya-cyera @yury-s