Skip to content

fix(browser)!: require sessionId for orchestrator html request#10522

Merged
sheremet-va merged 10 commits into
vitest-dev:mainfrom
hi-ogawa:harden-browser-orchestrator-session
Jun 8, 2026
Merged

fix(browser)!: require sessionId for orchestrator html request#10522
sheremet-va merged 10 commits into
vitest-dev:mainfrom
hi-ogawa:harden-browser-orchestrator-session

Conversation

@hi-ogawa

@hi-ogawa hi-ogawa commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

Previously any request to /__vitest_test__ serves the same html as /__vitest_test__/?sessionId=... even though the direct request to /__vitest_test__ doesn't provide working browser mode experience. This PR changes to return 404 on /__vitest_test__ to reduce exposed API credentials surface.

TODO

  • doc

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. If the feature is substantial or introduces breaking changes without a discussion, PR might be closed.
  • Ideally, include a test that fails without this PR but passes with it.
  • Please, don't make changes to pnpm-lock.yaml unless you introduce a new test example.
  • Please check Allow edits by maintainers to make review process faster. Note that this option is not available for repositories that are owned by Github organizations.

Tests

  • Run the tests with pnpm test:ci.

Documentation

  • If you introduce new functionality, document it. You can run documentation with pnpm run docs command.

Changesets

  • Changes in changelog are generated from PR name. Please, make sure that it explains your changes in an understandable manner. Please, prefix changeset messages with feat:, fix:, perf:, docs:, or chore:.

hi-ogawa and others added 7 commits June 5, 2026 14:10
@hi-ogawa @codex
fix(browser): require session for orchestrator
2ee61e9 
Co-authored-by: Codex <noreply@openai.com>
@hi-ogawa @codex
chore: remove preview test change
a50d919 
Co-authored-by: Codex <noreply@openai.com>
@hi-ogawa @codex
test(browser): assert preview requires session
e88da19 
Co-authored-by: Codex <noreply@openai.com>
@hi-ogawa
nit
9e06cec
@hi-ogawa
fix: respond 404
aa7df45
@hi-ogawa @codex
fix(browser): reject empty tester session
fe8d08b 
Co-authored-by: Codex <noreply@openai.com>
@hi-ogawa @codex
fix(browser): satisfy orchestrator types
7feffc7 
Co-authored-by: Codex <noreply@openai.com>
hi-ogawa
hi-ogawa commented Jun 5, 2026
View reviewed changes
Comment thread packages/vitest/src/node/stdin.ts
['p', 'filter by a filename'],
['t', 'filter by a test name regex pattern'],
['w', 'filter by a project name'],
['b', 'start the browser server if not started yet'],

@hi-ogawa hi-ogawa Jun 5, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a quick look, b doesn't do anything meaningful now? I may have missed some context, so will verify later with

@hi-ogawa hi-ogawa Jun 8, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this doesn't look doing anything meaningful, so propose removing it together. The current behavior is explained in:

@sheremet-va sheremet-va Jun 8, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be printed for preview at least, because it's possible that openPage doesn't open the browser correctly

I think the main use case for b was to start the browsers in the standalone mode, but we fixed that separetly

This was referenced Jun 8, 2026
Open
Closed
@hi-ogawa @codex
docs(browser): remove stale watch shortcut note
08b513f 
Co-authored-by: Codex <noreply@openai.com>
@netlify

netlify Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for vitest-dev ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 510d944
🔍 Latest deploy log https://app.netlify.com/projects/vitest-dev/deploys/6a263246cfa3dd0008c35391
😎 Deploy Preview https://deploy-preview-10522--vitest-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@hi-ogawa @codex
docs: mention browser orchestrator session requirement
510d944 
Co-authored-by: Codex <noreply@openai.com>
@hi-ogawa hi-ogawa marked this pull request as ready for review June 8, 2026 03:31
@sheremet-va sheremet-va merged commit 79b7d8f into vitest-dev:main Jun 8, 2026
15 of 18 checks passed
@hi-ogawa hi-ogawa deleted the harden-browser-orchestrator-session branch June 8, 2026 05:27
This was referenced Jun 18, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sheremet-va sheremet-va sheremet-va approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Decide whether watch-mode b should be redesigned as a real browser-session shortcut or removed

2 participants

@hi-ogawa @sheremet-va