Skip to content

fix(miniflare): reject non-local /cdn-cgi requests#13426

Merged
edmundhung merged 2 commits intomainfrom
edmundhung/dev-tunnel-miniflare-hardening
Apr 14, 2026
Merged

fix(miniflare): reject non-local /cdn-cgi requests#13426
edmundhung merged 2 commits intomainfrom
edmundhung/dev-tunnel-miniflare-hardening

Conversation

@edmundhung
Copy link
Copy Markdown
Member

@edmundhung edmundhung commented Apr 10, 2026
edited by devin-ai-integration bot
Loading

Fixes DEVX-2556.

This extends the origin validation added for the local explorer to cover all cdn-cgi requests.

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: no feature change.

A picture of a cute animal (not mandatory, but encouraged)

Open with Devin

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 10, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 3245531

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Apr 10, 2026
@workers-devprod workers-devprod requested a review from a team April 10, 2026 20:57
@workers-devprod
Copy link
Copy Markdown
Contributor

workers-devprod commented Apr 10, 2026
edited
Loading

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@workers-devprod workers-devprod requested review from NuroDev and removed request for a team April 10, 2026 20:57
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026
edited
Loading

✅ All changesets look good

@ask-bonk
Copy link
Copy Markdown
Contributor

ask-bonk bot commented Apr 10, 2026

UnknownError: ProviderInitError

github run

@ask-bonk
Copy link
Copy Markdown
Contributor

ask-bonk bot commented Apr 10, 2026

@edmundhung Bonk workflow failed. Check the logs for details.

View workflow run · To retry, trigger Bonk again.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 10, 2026
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13426

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13426

miniflare

npm i https://pkg.pr.new/miniflare@13426

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13426

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13426

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13426

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13426

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13426

wrangler

npm i https://pkg.pr.new/wrangler@13426

commit: 3245531

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@edmundhung edmundhung force-pushed the edmundhung/dev-tunnel-miniflare-hardening branch from 9a83565 to ba5a91a Compare April 10, 2026 21:11
@edmundhung edmundhung marked this pull request as draft April 10, 2026 21:20
@edmundhung edmundhung force-pushed the edmundhung/dev-tunnel-miniflare-hardening branch from ba5a91a to 9f40913 Compare April 10, 2026 21:22
@edmundhung edmundhung force-pushed the edmundhung/dev-tunnel-miniflare-hardening branch from 9f40913 to 53de8ae Compare April 10, 2026 22:27
@edmundhung edmundhung marked this pull request as ready for review April 10, 2026 22:30
NuroDev
NuroDev approved these changes Apr 14, 2026
View reviewed changes
Comment thread packages/miniflare/src/workers/core/entry.worker.ts Outdated
workers-devprod
workers-devprod approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@workers-devprod workers-devprod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation bot moved this from Untriaged to Approved in workers-sdk Apr 14, 2026
@edmundhung edmundhung merged commit 89c7829 into main Apr 14, 2026
56 of 57 checks passed
@edmundhung edmundhung deleted the edmundhung/dev-tunnel-miniflare-hardening branch April 14, 2026 12:38
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk Apr 14, 2026
@workers-devprod workers-devprod mentioned this pull request Apr 14, 2026
Merged
petebacondarwin pushed a commit that referenced this pull request Apr 14, 2026
@edmundhung @petebacondarwin
fix(miniflare): reject non-local /cdn-cgi requests (#13426)
33137ee
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@NuroDev NuroDev NuroDev approved these changes

@workers-devprod workers-devprod workers-devprod approved these changes

Assignees

No one assigned

Labels

None yet

Projects

workers-sdk
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@edmundhung @workers-devprod @NuroDev