fix: improved hostname validation logic in Server.js#5627
fix: improved hostname validation logic in Server.js#5627VeerRaj-007 wants to merge 2 commits intowebpack:mainfrom
Conversation
|
Sorry, I don't understand what you fixed here |
|
The bug happens only for no-cors cross-site requests.
That means even localhost and 127.0.0.1 are rejected and a 403 is returned, even though the comment above says they should always be allowed. My change makes the behavior match the comment:
So no-cors requests from localhost now work without requiring allowedHosts: ['localhost'], restoring the old behavior and fixing #5603. |
|
Please add a test case |
|
Hi @alexander-akait, I have added the test as requested and committed it to the repository. Please let me know if any further changes are needed |
2 participants
This PR fixes an issue in isValidHost where setting the devServer.host option could unintentionally block otherwise valid hostnames.
Currently, when validateHost is true, the code combines IP checks, localhost checks, and this.options.host into a single expression. This makes the logic harder to reason about and causes unexpected rejections when a custom host is configured.
This change makes the behavior explicit and correct:
Always allow:
IPv4 and IPv6 addresses
localhost and *.localhost
Only allow this.options.host when validateHost is enabled
This preserves the existing security model while fixing cases where valid requests were rejected when using a custom host.
Why this is needed
When users configure devServer.host, they expect it to be accepted consistently. The previous logic could cause valid requests to be rejected depending on validateHost, which is confusing and not intended behavior.
This change aligns the implementation with the documented behavior and avoids unexpected host blocking.
Fixes #5603