Skip to content

fix(browser)!: require sessionId for orchestrator html request#10522

Merged
sheremet-va merged 10 commits into
vitest-dev:mainfrom
hi-ogawa:harden-browser-orchestrator-session
Jun 8, 2026
Merged

fix(browser)!: require sessionId for orchestrator html request#10522
sheremet-va merged 10 commits into
vitest-dev:mainfrom
hi-ogawa:harden-browser-orchestrator-session

Conversation

@hi-ogawa

@hi-ogawa hi-ogawa commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator

Description

Previously any request to /__vitest_test__ serves the same html as /__vitest_test__/?sessionId=... even though the direct request to /__vitest_test__ doesn't provide working browser mode experience. This PR changes to return 404 on /__vitest_test__ to reduce exposed API credentials surface.

TODO

  • doc

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. If the feature is substantial or introduces breaking changes without a discussion, PR might be closed.
  • Ideally, include a test that fails without this PR but passes with it.
  • Please, don't make changes to pnpm-lock.yaml unless you introduce a new test example.
  • Please check Allow edits by maintainers to make review process faster. Note that this option is not available for repositories that are owned by Github organizations.

Tests

  • Run the tests with pnpm test:ci.

Documentation

  • If you introduce new functionality, document it. You can run documentation with pnpm run docs command.

Changesets

  • Changes in changelog are generated from PR name. Please, make sure that it explains your changes in an understandable manner. Please, prefix changeset messages with feat:, fix:, perf:, docs:, or chore:.

hi-ogawa and others added 7 commits June 5, 2026 14:10
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
['p', 'filter by a filename'],
['t', 'filter by a test name regex pattern'],
['w', 'filter by a project name'],
['b', 'start the browser server if not started yet'],

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a quick look, b doesn't do anything meaningful now? I may have missed some context, so will verify later with

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this doesn't look doing anything meaningful, so propose removing it together. The current behavior is explained in:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be printed for preview at least, because it's possible that openPage doesn't open the browser correctly

I think the main use case for b was to start the browsers in the standalone mode, but we fixed that separetly

Co-authored-by: Codex <noreply@openai.com>
@netlify

netlify Bot commented Jun 8, 2026

Copy link
Copy Markdown

Deploy Preview for vitest-dev ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 510d944
🔍 Latest deploy log https://app.netlify.com/projects/vitest-dev/deploys/6a263246cfa3dd0008c35391
😎 Deploy Preview https://deploy-preview-10522--vitest-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Co-authored-by: Codex <noreply@openai.com>
@hi-ogawa hi-ogawa marked this pull request as ready for review June 8, 2026 03:31
@sheremet-va sheremet-va merged commit 79b7d8f into vitest-dev:main Jun 8, 2026
15 of 18 checks passed
@hi-ogawa hi-ogawa deleted the harden-browser-orchestrator-session branch June 8, 2026 05:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Decide whether watch-mode b should be redesigned as a real browser-session shortcut or removed

2 participants