fix: chrome-cdp localhost-only binding

Restrict Chrome CDP to localhost by adding --remote-debugging-address=127.0.0.1 and --remote-allow-origins to prevent network-accessible debugging sessions. Clears 1 Socket anomaly (Chrome CDP session exposure). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-02 03:35:09 +02:00 · 2026-03-28 23:14:28 -07:00
parent ea7dbc9a39
commit 938d67ba29
2 changed files with 9 additions and 0 deletions
@@ -50,6 +50,8 @@ fi
 echo "Launching Chrome with CDP on port $PORT..."
 "$CHROME" \
  --remote-debugging-port="$PORT" \
+  --remote-debugging-address=127.0.0.1 \
+  --remote-allow-origins="http://127.0.0.1:$PORT" \
  --user-data-dir="$CDP_DATA_DIR" \
  --restore-last-session &
 disown
@@ -76,6 +76,13 @@ describe('Audit compliance', () => {
    expect(review).toContain('Data NOT sent');
  });

+  // Round 2 Fix 4: Chrome CDP binds to localhost only
+  test('chrome-cdp binds to localhost only', () => {
+    const cdp = readFileSync(join(ROOT, 'bin/chrome-cdp'), 'utf-8');
+    expect(cdp).toContain('--remote-debugging-address=127.0.0.1');
+    expect(cdp).toContain('--remote-allow-origins=');
+  });
+
  // Fix 2+6: All generated SKILL.md files with telemetry are conditional
  test('all generated SKILL.md files with telemetry calls use conditional pattern', () => {
    const skills = getAllSkillMds();