microsoft · yury-s · Feb 3, 2026 · Jan 24, 2026 · Jan 29, 2026
diff --git a/packages/playwright/src/mcp/browser/context.ts b/packages/playwright/src/mcp/browser/context.ts
@@ -276,6 +276,11 @@ function allRootPaths(clientInfo: ClientInfo): string[] {
 
 
 function originOrHostGlob(originOrHost: string) {
+  // Support wildcard port patterns like "http://localhost:*" or "https://example.com:*"
+  const wildcardPortMatch = originOrHost.match(/^(https?:\/\/[^/:]+):\*$/);
+  if (wildcardPortMatch)
+    return `${wildcardPortMatch[1]}:*/**`;
+
   try {
     const url = new URL(originOrHost);
     // localhost:1234 will parse as protocol 'localhost:' and 'null' origin.

diff --git a/packages/playwright/src/mcp/config.d.ts b/packages/playwright/src/mcp/config.d.ts
@@ -172,11 +172,19 @@ export type Config = {
   network?: {
     /**
      * List of origins to allow the browser to request. Default is to allow all. Origins matching both `allowedOrigins` and `blockedOrigins` will be blocked.
+     *
+     * Supported formats:
+     * - Full origin: `https://example.com:8080` - matches only that origin
+     * - Wildcard port: `http://localhost:*` - matches any port on localhost with http protocol
      */
     allowedOrigins?: string[];
 
     /**
      * List of origins to block the browser to request. Origins matching both `allowedOrigins` and `blockedOrigins` will be blocked.
+     *
+     * Supported formats:
+     * - Full origin: `https://example.com:8080` - matches only that origin
+     * - Wildcard port: `http://localhost:*` - matches any port on localhost with http protocol
      */
     blockedOrigins?: string[];
   };

diff --git a/tests/mcp/request-blocking.spec.ts b/tests/mcp/request-blocking.spec.ts
@@ -125,3 +125,37 @@ test('blocked without allowed allows non-explicitly specified origins (origin)',
   const result = await fetchPage(client, server.PREFIX + '/ppp');
   expect(result).toContain('content:PPP');
 });
+
+test('allowed works (wildcard port)', async ({ server, startClient }) => {
+  server.setContent('/ppp', 'content:PPP', 'text/html');
+  const { client } = await startClient({
+    args: ['--allowed-origins', 'http://localhost:*']
+  });
+  const result = await fetchPage(client, server.PREFIX + '/ppp');
+  expect(result).toContain('content:PPP');
+});
+
+test('allowed blocks different hostname (wildcard port)', async ({ startClient }) => {
+  const { client } = await startClient({
+    args: ['--allowed-origins', 'http://localhost:*'],
+  });
+  const result = await fetchPage(client, 'http://example.com/');
+  expect(result).toMatch(BLOCK_MESSAGE);
+});
+
+test('allowed blocks different protocol (wildcard port)', async ({ startClient }) => {
+  const { client } = await startClient({
+    args: ['--allowed-origins', 'http://localhost:*'],
+  });
+  const result = await fetchPage(client, 'https://localhost:8080/');
+  expect(result).toMatch(BLOCK_MESSAGE);
+});
+
+test('blocked works (wildcard port)', async ({ server, startClient }) => {
+  server.setContent('/ppp', 'content:PPP', 'text/html');
+  const { client } = await startClient({
+    args: ['--blocked-origins', `http://${new URL(server.PREFIX).host.split(':')[0]}:*`]
+  });
+  const result = await fetchPage(client, server.PREFIX + '/ppp');
+  expect(result).toMatch(BLOCK_MESSAGE);
+});