Skip to content

fix(ai): send anthropic-dangerous-direct-browser-access header#967

Open
hishamMounir wants to merge 1 commit into
crynta:mainfrom
hishamMounir:fix/anthropic-webview-cors
Open

fix(ai): send anthropic-dangerous-direct-browser-access header#967
hishamMounir wants to merge 1 commit into
crynta:mainfrom
hishamMounir:fix/anthropic-webview-cors

Conversation

@hishamMounir

@hishamMounir hishamMounir commented Jul 7, 2026

Copy link
Copy Markdown

Problem

Every Claude request from the app fails with a generic "An error occurred" in the AI panel. The Anthropic branch in buildLanguageModel constructs the provider with no custom headers:

built = createAnthropic({ apiKey: key })(resolvedModelId);

Inside the Tauri webview, fetch sends an Origin header, so Anthropic's API treats the call as a browser request and rejects it:

{"type":"error","error":{"type":"authentication_error",
 "message":"CORS requests must set 'anthropic-dangerous-direct-browser-access' header"}}

The blocked response can't be read by the SDK, which throws — surfacing as the generic error. Key, model, billing, and network are all fine; the request never gets an answer.

Reproduced directly against api.anthropic.com with a valid key:

  • no Origin → 200 OK
  • Origin + no flag → CORS authentication_error (above)
  • Origin + anthropic-dangerous-direct-browser-access: true → 200 OK

Fix

Pass the opt-in header via createAnthropic's headers option, matching what the official Anthropic SDK does under dangerouslyAllowBrowser.

Notes

  • Other cloud providers (OpenAI, Google, …) may need equivalent handling for webview CORS; scoped this PR to the confirmed Anthropic case.
  • pnpm check-types clean; src/modules/ai/config.test.ts passes (13/13).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Improved compatibility for AI features in browser-based views, preventing requests from being rejected by the model provider.
    • Enabled successful model connections in environments that include browser-origin headers.

Anthropic's API rejects requests that carry an Origin header (which the
Tauri webview always sends) unless the client opts in with the
anthropic-dangerous-direct-browser-access header. Without it every Claude
request from the app fails CORS and the UI shows a generic "An error
occurred". Pass the header via createAnthropic's headers option.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@hishamMounir hishamMounir requested a review from crynta as a code owner July 7, 2026 01:47
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The Anthropic model client initialization in buildLanguageModel now includes a headers configuration enabling anthropic-dangerous-direct-browser-access, replacing the prior apiKey-only setup. Inline comments explain that this opt-in is required for webview fetch requests carrying an Origin header.

Changes

Anthropic Client Header Fix

Layer / File(s) Summary
Browser-access header for Anthropic client
src/modules/ai/lib/agent.ts
The anthropic branch now sets an anthropic-dangerous-direct-browser-access: "true" header when creating the client, with comments explaining the webview Origin-header rejection issue.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Security note: worth double-checking — this header is Anthropic's official opt-in for allowing browser-origin requests to hit their API directly, which is normally discouraged because it can expose the API key client-side (e.g., in a webview's network inspector or via injected scripts). Since this is a Tauri webview and not a public browser tab, the exposure surface is narrower, but confirm the API key isn't otherwise reachable by untrusted renderer-side code before shipping.

Related Issues: None specified
Related PRs: None specified
Suggested labels: ai, bugfix
Suggested reviewers: None specified

🐰 A tiny header hops into the request,
"Origin, don't reject, I insist!"
Six lines changed, one bug fixed,
Anthropic and webview now coexist.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title follows Conventional Commits and accurately describes the Anthropic header fix.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/modules/ai/lib/agent.ts (1)

105-114: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider a regression test locking this header.

This fix addresses a silent, hard-to-diagnose failure (generic "An error occurred"). A small unit test asserting createAnthropic is invoked with the anthropic-dangerous-direct-browser-access header would prevent a future refactor from dropping it unnoticed.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/modules/ai/lib/agent.ts` around lines 105 - 114, Add a regression test
for the anthropic provider branch in agent.ts that verifies createAnthropic is
called with the anthropic-dangerous-direct-browser-access header. Locate the
logic in the anthropic case inside the agent model factory, mock
`@ai-sdk/anthropic`, and assert the headers object includes the required opt-in
flag so future refactors don’t remove it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/modules/ai/lib/agent.ts`:
- Around line 107-108: The comment in agent.ts contains a stray garbled phrase
that should be removed or rewritten to stay purposeful. Update the explanatory
comment near the webview fetch/Origin header handling in the agent logic so it
ends cleanly after describing why Anthropic rejects browser requests unless the
Origin header opts in, with no filler text like the current leftover phrase.

---

Nitpick comments:
In `@src/modules/ai/lib/agent.ts`:
- Around line 105-114: Add a regression test for the anthropic provider branch
in agent.ts that verifies createAnthropic is called with the
anthropic-dangerous-direct-browser-access header. Locate the logic in the
anthropic case inside the agent model factory, mock `@ai-sdk/anthropic`, and
assert the headers object includes the required opt-in flag so future refactors
don’t remove it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2a20d7b3-0f8a-43ec-a3d2-06814d3d79f8

📥 Commits

Reviewing files that changed from the base of the PR and between 78a0b3d and dd9d141.

📒 Files selected for processing (1)
  • src/modules/ai/lib/agent.ts

Comment on lines +107 to +108
// Webview fetch sends an Origin header; Anthropic's API rejects such
// "browser" requests unless this header opts in. ponytail: required flag.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Stray/garbled word in comment.

"ponytail: required flag." reads as leftover/garbled text unrelated to the explanation. As per coding guidelines, comments should be purposeful with no filler; this line should either be dropped or reworded to something meaningful (e.g., just end after "opt in.").

✏️ Proposed fix
-      // Webview fetch sends an Origin header; Anthropic's API rejects such
-      // "browser" requests unless this header opts in. ponytail: required flag.
+      // Webview fetch sends an Origin header; Anthropic's API rejects such
+      // "browser" requests unless this header opts in.
       built = createAnthropic({
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// Webview fetch sends an Origin header; Anthropic's API rejects such
// "browser" requests unless this header opts in. ponytail: required flag.
// Webview fetch sends an Origin header; Anthropic's API rejects such
// "browser" requests unless this header opts in.
built = createAnthropic({
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/modules/ai/lib/agent.ts` around lines 107 - 108, The comment in agent.ts
contains a stray garbled phrase that should be removed or rewritten to stay
purposeful. Update the explanatory comment near the webview fetch/Origin header
handling in the agent logic so it ends cleanly after describing why Anthropic
rejects browser requests unless the Origin header opts in, with no filler text
like the current leftover phrase.

Source: Coding guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant