Skip to content

Add IP address and CIDR support to the allowlist#85

Merged
ACK-J merged 9 commits into
mainfrom
cursor/allowlist-ip-cidr-2f4b
Jul 12, 2026
Merged

Add IP address and CIDR support to the allowlist#85
ACK-J merged 9 commits into
mainfrom
cursor/allowlist-ip-cidr-2f4b

Conversation

@ACK-J

@ACK-J ACK-J commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes #66 and #64 by making IP address and CIDR allowlist entries actually take effect.

Problem

Solution

  • Portless IP entries match the same address on any port
  • CIDR ranges match IPv4 and IPv6 origins/destinations
  • localhost is treated as equivalent to 127.0.0.1 when matching against IP entries
  • Domain entries still only match the page origin (e.g. discord.com)
  • IP and CIDR entries match both the page origin and request destinations (so allowlisting 127.0.0.1 works from file:// test pages too)

Matching lives in global/allowlist.js and reuses IP helpers from global/privateAddress.js. The preferences UI documents the new entry types.

Example

Page origin Request target Allowlist Result
127.0.0.1:3000 127.0.0.1:80 127.0.0.1 Allowed
192.168.1.50:8006 192.168.1.50:8008 192.168.1.0/24 Allowed
file:// (empty host) 127.0.0.1:80 127.0.0.1 Allowed
evil.com 127.0.0.1:80 discord.com Blocked
discord.com 127.0.0.1:80 discord.com Allowed

Test plan

  • Unit tests for IP/CIDR normalization, matching, and request-filter allowlist paths (npm test — 525 passed)
  • Add 127.0.0.1 to allowlist, open TestPortScans.html, confirm loopback scans are not blocked
  • Add LAN CIDR (e.g. 192.168.1.0/24) and confirm Proxmox shell/console connections work
  • Confirm discord.com allowlist still only applies to pages on discord.com
Open in Web Open in Cursor 

cursoragent and others added 9 commits July 12, 2026 00:37
Portless IP entries now match the same address on any port, and CIDR
ranges match origins/destinations in the network. This fixes allowlisting
127.0.0.1 (issue #66) and homelab setups like Proxmox (issue #64).

Domain entries still match the page origin only; IP/CIDR entries also
match request destinations so trusted addresses work from file:// pages.

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
normalizeAllowlistEntry no longer treats every slash as CIDR, so full
URLs and host/path inputs still extract the host. IPv4-mapped IPv6
literals such as ::ffff:127.0.0.1 now match IPv4/CIDR allowlist entries.

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Detect portless IP entries via URL.port so IPv6 bracket differences across
URL implementations cannot disable wildcard-port matching. Also accept
scheme-prefixed or trailing-slash CIDR pastes instead of silently storing
only the network address.

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Cover URL/CIDR paste handling, IPv6 portless matching, IPv4-mapped
unwrap, and request-filter end-to-end paths. Also stop unwrapping ::1/::
as deprecated IPv4-compatible addresses (which incorrectly became
0.0.0.1/0.0.0.0).

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Inputs like http://192.168.1.0/24/dashboard previously fell through to
URL host extraction and stored only 192.168.1.0. Extract a leading
IP/prefix when present, and still reject invalid prefixes.

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Keep leading CIDR extraction for pastes like /24/dashboard, but if the
leading slash-number is far outside a plausible prefix for that address
family (e.g. /8080), fall through to normal URL host parsing instead of
rejecting the entry.

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
CIDR still needs a post-parse check because the URL standard treats /24 as
a pathname, but host/scheme/path splitting no longer relies on ad-hoc
regex carving. Bare IPv6 is bracketed only when URL() requires it.

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Only treat IP URLs as CIDR when the path is exactly a prefix (/24).
Page URLs like http://192.168.1.50/24/items now store the host instead of
accidentally allowlisting a whole subnet. Removes the maxPrefix*2 heuristic.

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Avoid parsing the input twice for CIDR-vs-host handling, and document that
bare IPv6 forms like ::1:8080 are addresses (use [::1]:8080 for ports).

Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
@ACK-J ACK-J marked this pull request as ready for review July 12, 2026 01:46
@ACK-J ACK-J merged commit 9d8150d into main Jul 12, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature Request] Expand "domain" whitelist to be able to include IP addresses

2 participants