docs: update CORS documentation for inspector defaults

2026-04-15 09:01:17 +00:00 · 2026-01-28 05:15:13 -08:00 · 2026-01-28 05:15:13 -08:00 · 7f73ea503e
commit 7f73ea503e
parent fc0a8fce15
5 changed files with 59 additions and 32 deletions
--- a/docs/cors.mdx
+++ b/docs/cors.mdx
@ -5,48 +5,66 @@ sidebarTitle: "CORS"
 icon: "globe"
 ---

-When calling the Sandbox Agent server from a browser, you need to enable CORS (Cross-Origin Resource Sharing) explicitly.
+When calling the Sandbox Agent server from a browser, CORS (Cross-Origin Resource Sharing) controls which origins can make requests.

-## Basic Configuration
+## Default Behavior
+
+By default, the server allows CORS requests from the [Inspector](https://inspect.sandboxagent.dev):

 ```bash
+# Inspector CORS is enabled by default
+sandbox-agent server --token "$SANDBOX_TOKEN"
+```
+
+This allows you to use the hosted Inspector to connect to any running Sandbox Agent server without additional configuration.
+
+## Adding Origins
+
+Use `--cors-allow-origin` to allow additional origins. These are **cumulative** with the default Inspector origin:
+
+```bash
+# Allows both Inspector AND localhost:5173
 sandbox-agent server \
  --token "$SANDBOX_TOKEN" \
-  --cors-allow-origin "http://localhost:5173" \
-  --cors-allow-method "GET" \
-  --cors-allow-method "POST" \
-  --cors-allow-header "Authorization" \
-  --cors-allow-header "Content-Type" \
-  --cors-allow-credentials
+  --cors-allow-origin "http://localhost:5173"
 ```

 ## Options

 | Flag | Description |
 |------|-------------|
-| `--cors-allow-origin` | Origins allowed to make requests (e.g., `http://localhost:5173`) |
-| `--cors-allow-method` | HTTP methods to allow (can be specified multiple times) |
-| `--cors-allow-header` | Headers to allow (can be specified multiple times) |
+| `--cors-allow-origin` | Additional origins to allow (cumulative with Inspector) |
+| `--cors-allow-method` | HTTP methods to allow (defaults to all if not specified) |
+| `--cors-allow-header` | Headers to allow (defaults to all if not specified) |
 | `--cors-allow-credentials` | Allow credentials (cookies, authorization headers) |
+| `--no-inspector-cors` | Disable the default Inspector origin |
+
+## Disabling Inspector CORS
+
+To disable the default Inspector origin and only allow explicitly specified origins:
+
+```bash
+# Only allows localhost:5173, not Inspector
+sandbox-agent server \
+  --token "$SANDBOX_TOKEN" \
+  --no-inspector-cors \
+  --cors-allow-origin "http://localhost:5173"
+```

 ## Multiple Origins

-You can allow multiple origins by specifying the flag multiple times:
+Specify the flag multiple times to allow multiple origins:

 ```bash
 sandbox-agent server \
  --token "$SANDBOX_TOKEN" \
  --cors-allow-origin "http://localhost:5173" \
-  --cors-allow-origin "http://localhost:3000" \
-  --cors-allow-method "GET" \
-  --cors-allow-method "POST" \
-  --cors-allow-header "Authorization" \
-  --cors-allow-header "Content-Type"
+  --cors-allow-origin "http://localhost:3000"
 ```

-## Production
+## Restricting Methods and Headers

-In production, replace `localhost` origins with your actual domain:
+By default, all methods and headers are allowed. To restrict them:

 ```bash
 sandbox-agent server \