playwriter 0.0.40 → 0.0.41

package/src/cdp-relay.ts

@@ -1,5 +1,6 @@
 import { Hono } from 'hono'
 import { serve } from '@hono/node-server'
+import { getConnInfo } from '@hono/node-server/conninfo'
 import { createNodeWebSocket } from '@hono/node-ws'
 import type { WSContext } from 'hono/ws'
 import type { Protocol } from './cdp-types.js'
@@ -395,23 +396,23 @@ export async function startPlayWriterCDPRelayServer({ port = 19988, host = '127.
     'elnnakgjclnapgflmidlpobefkdmapdm', // Dev extension (loaded unpacked)
   ]
 
-  function isAllowedOrigin(origin: string | undefined): boolean {
-    if (!origin) {
-      return true // Node.js clients don't send Origin
-    }
-    if (origin.startsWith('chrome-extension://')) {
-      const extensionId = origin.replace('chrome-extension://', '')
-      return ALLOWED_EXTENSION_IDS.includes(extensionId)
-    }
-    return false // Reject browser origins (http://, https://, etc.)
-  }
-
   app.get('/cdp/:clientId?', (c, next) => {
     const origin = c.req.header('origin')
-    if (!isAllowedOrigin(origin)) {
-      logger?.log(chalk.red(`Rejecting /cdp WebSocket from origin: ${origin}`))
-      return c.text('Forbidden', 403)
+    
+    // Validate Origin header if present (Node.js clients don't send it)
+    if (origin) {
+      if (origin.startsWith('chrome-extension://')) {
+        const extensionId = origin.replace('chrome-extension://', '')
+        if (!ALLOWED_EXTENSION_IDS.includes(extensionId)) {
+          logger?.log(chalk.red(`Rejecting /cdp WebSocket from unknown extension: ${extensionId}`))
+          return c.text('Forbidden', 403)
+        }
+      } else {
+        logger?.log(chalk.red(`Rejecting /cdp WebSocket from origin: ${origin}`))
+        return c.text('Forbidden', 403)
+      }
     }
+
     if (token) {
       const url = new URL(c.req.url, 'http://localhost')
       const providedToken = url.searchParams.get('token')
@@ -574,11 +575,33 @@ export async function startPlayWriterCDPRelayServer({ port = 19988, host = '127.
   }))
 
   app.get('/extension', (c, next) => {
+    // 1. Host Validation: The extension endpoint must ONLY be accessed from localhost.
+    // This prevents attackers on the network from hijacking the browser session
+    // even if the server is exposed via 0.0.0.0.
+    const info = getConnInfo(c)
+    const remoteAddress = info.remote.address
+    const isLocalhost = remoteAddress === '127.0.0.1' || remoteAddress === '::1'
+
+    if (!isLocalhost) {
+      logger?.log(chalk.red(`Rejecting /extension WebSocket from remote IP: ${remoteAddress}`))
+      return c.text('Forbidden - Extension must be local', 403)
+    }
+
+    // 2. Origin Validation: Prevent browser-based attacks (CSRF).
+    // Browsers cannot spoof the Origin header, so this ensures the connection
+    // is coming from our specific Chrome Extension, not a malicious website.
     const origin = c.req.header('origin')
-    if (!isAllowedOrigin(origin)) {
-      logger?.log(chalk.red(`Rejecting /extension WebSocket from origin: ${origin}`))
+    if (!origin || !origin.startsWith('chrome-extension://')) {
+      logger?.log(chalk.red(`Rejecting /extension WebSocket: origin must be chrome-extension://, got: ${origin || 'none'}`))
       return c.text('Forbidden', 403)
     }
+    
+    const extensionId = origin.replace('chrome-extension://', '')
+    if (!ALLOWED_EXTENSION_IDS.includes(extensionId)) {
+      logger?.log(chalk.red(`Rejecting /extension WebSocket from unknown extension: ${extensionId}`))
+      return c.text('Forbidden', 403)
+    }
+
     return next()
   }, upgradeWebSocket(() => {
     return {

package/src/mcp.test.ts

@@ -2314,10 +2314,58 @@ describe('MCP Server Tests', () => {
         const page = await browserContext.newPage()
         await page.setContent(`
             <html>
+                <head>
+                    <style>
+                        body {
+                            margin: 0;
+                            background: #e8f4f8;
+                            position: relative;
+                            min-height: 100vh;
+                        }
+                        .controls {
+                            padding: 20px;
+                            position: relative;
+                            z-index: 10;
+                        }
+                        .grid-marker {
+                            position: absolute;
+                            background: rgba(255, 100, 100, 0.3);
+                            border: 1px solid #ff6464;
+                            font-size: 10px;
+                            color: #333;
+                            display: flex;
+                            align-items: center;
+                            justify-content: center;
+                        }
+                        .h-marker {
+                            left: 0;
+                            width: 100%;
+                            height: 20px;
+                        }
+                        .v-marker {
+                            top: 0;
+                            height: 100%;
+                            width: 20px;
+                        }
+                    </style>
+                </head>
                 <body>
-                    <button id="submit-btn">Submit Form</button>
-                    <a href="/about">About Us</a>
-                    <input type="text" placeholder="Enter your name" />
+                    <div class="controls">
+                        <button id="submit-btn">Submit Form</button>
+                        <a href="/about">About Us</a>
+                        <input type="text" placeholder="Enter your name" />
+                    </div>
+                    <!-- Horizontal markers every 200px -->
+                    <div class="grid-marker h-marker" style="top: 200px;">200px</div>
+                    <div class="grid-marker h-marker" style="top: 400px;">400px</div>
+                    <div class="grid-marker h-marker" style="top: 600px;">600px</div>
+                    <!-- Vertical markers every 200px -->
+                    <div class="grid-marker v-marker" style="left: 200px;">200</div>
+                    <div class="grid-marker v-marker" style="left: 400px;">400</div>
+                    <div class="grid-marker v-marker" style="left: 600px;">600</div>
+                    <div class="grid-marker v-marker" style="left: 800px;">800</div>
+                    <div class="grid-marker v-marker" style="left: 1000px;">1000</div>
+                    <div class="grid-marker v-marker" style="left: 1200px;">1200</div>
                 </body>
             </html>
         `)
@@ -2370,6 +2418,17 @@ describe('MCP Server Tests', () => {
         // Verify the image is valid JPEG by checking base64
         const buffer = Buffer.from(imageContent.data, 'base64')
         const dimensions = imageSize(buffer)
+        
+        // Get actual viewport size from page
+        const viewport = await page.evaluate(() => ({
+            innerWidth: window.innerWidth,
+            innerHeight: window.innerHeight,
+            outerWidth: window.outerWidth,
+            outerHeight: window.outerHeight,
+        }))
+        console.log('Screenshot dimensions:', dimensions.width, 'x', dimensions.height)
+        console.log('Window viewport:', viewport)
+        
         expect(dimensions.type).toBe('jpg')
         expect(dimensions.width).toBeGreaterThan(0)
         expect(dimensions.height).toBeGreaterThan(0)

package/src/prompt.md

@@ -31,6 +31,8 @@ After any action (click, submit, navigate), verify what happened:
 console.log('url:', page.url()); console.log(await accessibilitySnapshot({ page }).then(x => x.split('\n').slice(0, 30).join('\n')));
 ```
 
+For visually complex pages (grids, galleries, dashboards), use `screenshotWithAccessibilityLabels({ page })` instead to understand spatial layout.
+
 If nothing changed, try `await page.waitForLoadState('networkidle', {timeout: 3000})` or you may have clicked the wrong element.
 
 ## accessibility snapshots
@@ -66,6 +68,24 @@ Search for specific elements:
 const snapshot = await accessibilitySnapshot({ page, search: /button|submit/i })
 ```
 
+## choosing between snapshot methods
+
+Both `accessibilitySnapshot` and `screenshotWithAccessibilityLabels` use the same `aria-ref` system, so you can combine them effectively.
+
+**Use `accessibilitySnapshot` when:**
+- Page has simple, semantic structure (articles, forms, lists)
+- You need to search for specific text or patterns
+- Token usage matters (text is smaller than images)
+- You need to process the output programmatically
+
+**Use `screenshotWithAccessibilityLabels` when:**
+- Page has complex visual layout (grids, galleries, dashboards, maps)
+- Spatial position matters (e.g., "first image", "top-left button")
+- DOM order doesn't match visual order
+- You need to understand the visual hierarchy
+
+**Combining both:** Use screenshot first to understand layout and identify target elements visually, then use `accessibilitySnapshot({ search: /pattern/ })` for efficient searching in subsequent calls.
+
 ## selector best practices
 
 **For unknown websites**: use `accessibilitySnapshot()` with `aria-ref` - it shows what's actually interactive.
@@ -206,7 +226,9 @@ const matches = await editor.grep({ regex: /console\.log/ });
 await editor.edit({ url: matches[0].url, oldString: 'DEBUG = false', newString: 'DEBUG = true' });
 ```
 
-**screenshotWithAccessibilityLabels** - take a screenshot with Vimium-style visual labels overlaid on interactive elements. Shows labels, captures screenshot, then removes labels. The image and accessibility snapshot are automatically included in the response. Can be called multiple times to capture multiple screenshots. Use a timeout of 10 seconds at least.
+**screenshotWithAccessibilityLabels** - take a screenshot with Vimium-style visual labels overlaid on interactive elements. Shows labels, captures screenshot, then removes labels. The image and accessibility snapshot are automatically included in the response. Can be called multiple times to capture multiple screenshots. Use a timeout of **20 seconds** for complex pages.
+
+Prefer this for pages with grids, image galleries, maps, or complex visual layouts where spatial position matters. For simple text-heavy pages, `accessibilitySnapshot` with search is faster and uses fewer tokens.
 
 ```js
 await screenshotWithAccessibilityLabels({ page });
@@ -296,5 +318,6 @@ Examples of what playwriter can do:
 - Intercept network requests to reverse-engineer APIs and build SDKs
 - Scrape data by replaying paginated API calls instead of scrolling DOM
 - Get accessibility snapshot to find elements, then automate interactions
+- Use visual screenshots to understand complex layouts like image grids, dashboards, or maps
 - Debug issues by collecting logs and controlling the page simultaneously
 - Handle popups, downloads, iframes, and dialog boxes