fix(ai): send anthropic-dangerous-direct-browser-access header#967
fix(ai): send anthropic-dangerous-direct-browser-access header#967hishamMounir wants to merge 1 commit into
Conversation
Anthropic's API rejects requests that carry an Origin header (which the Tauri webview always sends) unless the client opts in with the anthropic-dangerous-direct-browser-access header. Without it every Claude request from the app fails CORS and the UI shows a generic "An error occurred". Pass the header via createAnthropic's headers option. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughThe Anthropic model client initialization in ChangesAnthropic Client Header Fix
Estimated code review effort: 1 (Trivial) | ~5 minutes Security note: worth double-checking — this header is Anthropic's official opt-in for allowing browser-origin requests to hit their API directly, which is normally discouraged because it can expose the API key client-side (e.g., in a webview's network inspector or via injected scripts). Since this is a Tauri webview and not a public browser tab, the exposure surface is narrower, but confirm the API key isn't otherwise reachable by untrusted renderer-side code before shipping. Related Issues: None specified 🐰 A tiny header hops into the request, 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/modules/ai/lib/agent.ts (1)
105-114: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider a regression test locking this header.
This fix addresses a silent, hard-to-diagnose failure (generic "An error occurred"). A small unit test asserting
createAnthropicis invoked with theanthropic-dangerous-direct-browser-accessheader would prevent a future refactor from dropping it unnoticed.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/modules/ai/lib/agent.ts` around lines 105 - 114, Add a regression test for the anthropic provider branch in agent.ts that verifies createAnthropic is called with the anthropic-dangerous-direct-browser-access header. Locate the logic in the anthropic case inside the agent model factory, mock `@ai-sdk/anthropic`, and assert the headers object includes the required opt-in flag so future refactors don’t remove it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/modules/ai/lib/agent.ts`:
- Around line 107-108: The comment in agent.ts contains a stray garbled phrase
that should be removed or rewritten to stay purposeful. Update the explanatory
comment near the webview fetch/Origin header handling in the agent logic so it
ends cleanly after describing why Anthropic rejects browser requests unless the
Origin header opts in, with no filler text like the current leftover phrase.
---
Nitpick comments:
In `@src/modules/ai/lib/agent.ts`:
- Around line 105-114: Add a regression test for the anthropic provider branch
in agent.ts that verifies createAnthropic is called with the
anthropic-dangerous-direct-browser-access header. Locate the logic in the
anthropic case inside the agent model factory, mock `@ai-sdk/anthropic`, and
assert the headers object includes the required opt-in flag so future refactors
don’t remove it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 2a20d7b3-0f8a-43ec-a3d2-06814d3d79f8
📒 Files selected for processing (1)
src/modules/ai/lib/agent.ts
| // Webview fetch sends an Origin header; Anthropic's API rejects such | ||
| // "browser" requests unless this header opts in. ponytail: required flag. |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Stray/garbled word in comment.
"ponytail: required flag." reads as leftover/garbled text unrelated to the explanation. As per coding guidelines, comments should be purposeful with no filler; this line should either be dropped or reworded to something meaningful (e.g., just end after "opt in.").
✏️ Proposed fix
- // Webview fetch sends an Origin header; Anthropic's API rejects such
- // "browser" requests unless this header opts in. ponytail: required flag.
+ // Webview fetch sends an Origin header; Anthropic's API rejects such
+ // "browser" requests unless this header opts in.
built = createAnthropic({📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| // Webview fetch sends an Origin header; Anthropic's API rejects such | |
| // "browser" requests unless this header opts in. ponytail: required flag. | |
| // Webview fetch sends an Origin header; Anthropic's API rejects such | |
| // "browser" requests unless this header opts in. | |
| built = createAnthropic({ |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/modules/ai/lib/agent.ts` around lines 107 - 108, The comment in agent.ts
contains a stray garbled phrase that should be removed or rewritten to stay
purposeful. Update the explanatory comment near the webview fetch/Origin header
handling in the agent logic so it ends cleanly after describing why Anthropic
rejects browser requests unless the Origin header opts in, with no filler text
like the current leftover phrase.
Source: Coding guidelines
Problem
Every Claude request from the app fails with a generic "An error occurred" in the AI panel. The Anthropic branch in
buildLanguageModelconstructs the provider with no custom headers:Inside the Tauri webview,
fetchsends anOriginheader, so Anthropic's API treats the call as a browser request and rejects it:The blocked response can't be read by the SDK, which throws — surfacing as the generic error. Key, model, billing, and network are all fine; the request never gets an answer.
Reproduced directly against
api.anthropic.comwith a valid key:Origin→ 200 OKOrigin+ no flag → CORSauthentication_error(above)Origin+anthropic-dangerous-direct-browser-access: true→ 200 OKFix
Pass the opt-in header via
createAnthropic'sheadersoption, matching what the official Anthropic SDK does underdangerouslyAllowBrowser.Notes
pnpm check-typesclean;src/modules/ai/config.test.tspasses (13/13).🤖 Generated with Claude Code
Summary by CodeRabbit