fix: always allow localhost in cross-origin no-cors requests#5636
Open
Jeston10 wants to merge 2 commits intowebpack:mainfrom
Open
fix: always allow localhost in cross-origin no-cors requests#5636Jeston10 wants to merge 2 commits intowebpack:mainfrom
Jeston10 wants to merge 2 commits intowebpack:mainfrom
Conversation
Implement the intended behavior to always allow localhost host for development convenience. The isHostAllowed method had a comment stating localhost should always be allowed, but the code did not implement this check. This fixes the issue where no-cors cross-site requests to localhost were incorrectly blocked with 403 Forbidden. Now localhost is always allowed regardless of allowedHosts configuration, matching the intended behavior for development environments. Fixes the cross-origin-header-check middleware blocking legitimate localhost requests from blob URLs and other cross-origin contexts. Fixes webpack#5603
There was a problem hiding this comment.
Pull request overview
Fixes the cross-origin-header-check middleware behavior so that localhost (and .localhost subdomains) are always treated as an allowed host, preventing erroneous 403 responses for legitimate development requests.
Changes:
- Allow
localhost/*.localhostunconditionally inisHostAllowed(). - Adjust
isValidHost()comment/logic to rely onisHostAllowed()for localhost handling. - Update the e2e test expectation for cross-origin
no-corsscript requests tolocalhostfrom 403 to 200.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| test/e2e/cross-origin-request.test.js | Updates the e2e assertion to ensure localhost cross-site no-cors script requests return 200. |
| lib/Server.js | Implements unconditional localhost allowance inside isHostAllowed() and updates the related isValidHost() logic/comments. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
alexander-akait
requested changes
Jan 26, 2026
Author
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement the intended behavior to always allow localhost host for development convenience. The isHostAllowed method had a comment stating localhost should always be allowed, but the code did not implement this check.
This fixes the issue where no-cors cross-site requests to localhost were incorrectly blocked with 403 Forbidden. Now localhost is always allowed regardless of allowedHosts configuration, matching the intended behavior for development environments.
Fixes the cross-origin-header-check middleware blocking legitimate localhost requests from blob URLs and other cross-origin contexts.
Fixes #5603