Enabling Copilot Agent PlayWright MCP Server external access

[graham83]

Select Topic Area

Question

Copilot Feature Area

Copilot Agent Mode

Body

The PlayWright MPC integration 'by default' only allows access to the local host for browsing according to the copilot docs.

How do we enable playwright, in the copilot agent environment, access to external domains such that copilot can complete authentication steps required to navigate an app?

I have tried:

• Disabling the copilot agent firewall
• Configuring a new PlayWright MCP server for the copilot environment with arguments --allowed-origins=b2login.com;

However the Copilot Agent always fails to login to the app due to the authentication redirect, reporting error:

net::ERR_BLOCKED_BY_CLIENT

I am using Azure B2C authentication within the web app.

Any assistance appreciated.

[graham83]

Thanks for the generic response. But firewall external access is enabled. MCP environment variables are set. There is no documentation particularly to configuring GitHub Copilot Agent built in PlayWright MCP Server that I can find.

[ZakGraham]

Having same issue so any help would be appreciated

[muhammad-danial-malik]

Hi @graham83,

To enable external-domain browsing in the built‑in Playwright MCP server for Copilot Agent, you need to override both the MCP server’s CORS policy and the Chromium launch flags. By default it only binds to localhost and blocks any non‑local requests.

---

1. Create or update your mcp.config.json

Place this alongside your agent config (e.g. in ~/.copilot-agent/ or your workspace) and then start the agent with copilot agent run --mcp-config ./mcp.config.json.

{
  "playwrightServer": {
    // bind to all interfaces so external redirects work
    "host": "0.0.0.0",
    "port": 3500,

    // whitelist your auth domains here (no trailing semicolons!)
    "allowedOrigins": [
      "http://localhost:3500",
      "https://your‑app.com",
      "https://login.microsoftonline.com",  
      "https://your‑b2c‑tenant.b2clogin.com"
    ]
  },

  "browser": {
    "launchOptions": {
      "headless": false,
      "args": [
        "--disable-web-security", 
        "--disable-features=IsolateOrigins,site-per-process",
        "--remote-allow-origins=*"
      ]
    }
  }
}

• host: 0.0.0.0 lets Playwright listen on any interface.
• allowedOrigins: a JSON array of every domain that Copilot Agent must navigate (no semicolons—use commas).
• --disable-web-security / --disable-features: turns off same‑origin checks in Chromium so redirects to your B2C tenant aren’t blocked.
• --remote-allow-origins=*: ensures Puppeteer/Playwright can talk to the debug endpoint from any origin.

---

2. Restart your Copilot Agent

copilot agent run --mcp-config ~/.copilot-agent/mcp.config.json

Watch the logs to confirm the server is listening on 0.0.0.0:3500 and that your external domains are in the CORS whitelist.

---

3. Verify in VS Code

1. Open your Copilot Chat session.
2. Trigger the authentication flow.
3. You should now see the B2C login page instead of ERR_BLOCKED_BY_CLIENT.

---

4. If you still see errors…

• Check your JSON syntax (a missing quote or comma can disable the CORS block).
• Inspect network console in the Copilot webview (use DevTools: Ctrl+Shift+I) to see which origin is being blocked and add it to allowedOrigins.
• Ensure your Azure B2C app is sending correct CORS headers (Access‑Control‑Allow‑Origin) for the redirect URIs.

---

Hope this helps!

[graham83]

@muhammad-danial-malik - Thank you - this sounds like it is in the right direction, however your instructions are for the vscode agent. GitHub Copilot Agent generally refers to the managed copilot in GitHub (i.e. @copilot). Can you verify if you can get this working within github?

[muhammad-danial-malik]

Hi @graham83,

Good catch - my previous instructions do assume you’re on the self‑hosted (VS Code) agent. The GitHub‑hosted Copilot Agent (@copilot) is indeed locked down and doesn’t let you drop in a custom mcp.config.json or override Chromium flags directly. Here’s how to proceed:

1. Understand the managed limitations

   • The hosted agent binds Playwright’s MCP server to localhost internally and enforces its own CORS/launch‑flag policy—you can’t override those settings client‑side.
   • Any attempt to supply --disable-web-security or custom allowedOrigins will be ignored by the cloud service.

2. Azure B2C CORS configuration
   For the hosted agent, your only leverage is on the Azure B2C side. Make sure you’ve added all Copilot proxy domains to your B2C CORS and redirect‑URI lists. At minimum, include:

   https://copilot-proxy.githubusercontent.com
   https://*.githubusercontent.com

   You can find the exact blocked origin in DevTools inside the Copilot chat webview (Ctrl+Shift+I → Network → look for the failed request host) and then add that hostname to your B2C CORS settings.

3. Switch to self‑hosted if you need full control
   If you truly require overriding CORS policies or Chromium flags, the self‑hosted agent (copilot agent run) is the only path. With that, you can deploy the mcp.config.json I outlined:

   {
     "playwrightServer": { "host":"0.0.0.0", "port":3500, "allowedOrigins":[ /* your domains */ ] },
     "browser": { "launchOptions": { "headless": false, "args":[ "--disable-web-security", "--remote-allow-origins=*" ] } }
   }

   Then run:

   copilot agent run --mcp-config ./mcp.config.json

4. Next steps

   • Hosted agent: Update Azure B2C CORS to trust the Copilot domains, capture any new blocked origin from DevTools, and add it.
   • Self‑hosted agent: Continue with the mcp.config.json approach for full Playwright control.

---

Hope this helps!

[ZoltanDobo]

Seems still no solution for this issue?

Essentially having the MCP Playwright sandboxed makes impossible to use the coding agent generating test code properly. What is weird as this was the most often displayed scenario of coding agent usage in the github videos.

[jfullstackdev]

I'm not very sure if I'm getting it correctly, but I'll post them anyways,

if I'm not mistaken, right now, you cannot enable external domain access for Playwright in Copilot Agent Mode,

it’s an intentional sandbox limitation (to prevent data leakage and security risks), and GitHub’s docs note that only localhost endpoints are supported

---

Possible Workarounds

until GitHub adds broader support, options are limited:

1. proxy external auth locally

   • Run a local reverse proxy that forwards b2login.com → localhost:<port>
   • Playwright (through Copilot) sees only localhost, but traffic is tunneled to the real auth service.
   • Tools: ngrok, localtunnel, or custom Nginx/Traefik config.

2. stub/mock the login flow

   • Instead of going through Azure B2C, configure a mock auth provider in your dev environment.
   • Let Playwright test post-login flows without hitting external redirects.

3. run Playwright outside Copilot

   • If full end-to-end with Azure B2C is required, you’ll need to run Playwright directly (CI/CD pipeline, local machine) instead of inside the Copilot Agent sandbox.

[graham83]

Only local endpoints 'by default'. Implies you should be able to configure it via the mcp configuration.

Still no response so can only acheive this with local agent.