feat(browse): add geolocation CDP override methods to allowlist#1470
Open
cl0ckt0wer wants to merge 1 commit into
Open
feat(browse): add geolocation CDP override methods to allowlist#1470cl0ckt0wer wants to merge 1 commit into
cl0ckt0wer wants to merge 1 commit into
Conversation
…Override to CDP allowlist
Enables GPS/geolocation testing via the browse daemon. Same threat
profile as existing Emulation.setDeviceMetricsOverride: pure input
to the active tab, no data exfiltration surface.
Usage after this change:
$B cdp Emulation.setGeolocationOverride '{"latitude":51.5,"longitude":-0.1}'
Limitation: Browser.grantPermissions cannot be routed through the
page-scoped CDPSession the bridge uses. Full GPS testing (permission
grant + coordinate override) requires either a Playwright script
(context-level permission grant) or a future browser-scope CDP
routing path. Left a NOTE in the allowlist documenting this.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
Emulation.setGeolocationOverrideandEmulation.clearGeolocationOverrideto the CDP allowlist, enabling GPS/geolocation coordinate simulation via the browse daemon.Why
Testing location-aware web apps (maps, GPS trackers, proximity search) currently requires a separate Playwright script because the browse daemon blocks all CDP methods by default (deny-default posture). Geolocation override has the same threat profile as the already-allowed
Emulation.setDeviceMetricsOverride: pure input to the active tab, no data exfiltration surface.What changed
browse/src/cdp-allowlist.ts— added 2 entries under the Emulation section:Emulation.setGeolocationOverride(tab, trusted) — sets geolocation coordinates for the active tabEmulation.clearGeolocationOverride(tab, trusted) — clears the override, mirrorsclearDeviceMetricsOverrideBrowser.grantPermissionscannot work through the page-scoped CDPSession and needs a separate browser-scope routing path in the futureUsage
Known limitation
Full end-to-end GPS testing (permission grant + coordinate override) still requires either:
permissions: ['geolocation']andgeolocation: {...}, orBrowser.grantPermissionsThe
setGeolocationOverridealone overrides coordinates when geolocation permission is already granted (e.g., after user interaction or via a Playwright-launched context).Testing
All 6 existing CDP allowlist tests pass (199 expect calls). No new tests needed — existing test suite validates that every entry has required fields, no duplicates exist, and the deny-default posture is maintained.
Need help on this PR? Tag
@codesmithwith what you need.