Verify Host and Origin headers in dev server #10138
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously we allowed all requests in the dev server, but this could potentially allow another website to access local source code.
This implements 3 mitigations:
Originheader matches an allowed host. By defaultlocalhostand local IP addresses are allowed. The existing--hostoption can be specified to use a different host. SetAccess-Control-Allow-Originto only that origin instead of*.Originheader when a WebSocket connects. This allows localhost by default, or the--hmr-host/--hostoption.Hostheader to prevent DNS rebinding attacks.One problem is that reverse proxy services such as Cloudflare Tunnels no longer work due to Host validation. Setting the
--hostoption does not work because that also sets the network interface, and the cloudflare host is not valid in that situation. We would need to add an additional option to either disable host validation or provide additional allowed hosts. Unfortunately we don't have a great place to put this. Environment variable? New CLI option? Seems important to solve this one.Another downside is if you use custom hostnames (e.g. configured via
/etc/hosts), these are not allowed by default. You'd need to manually set the--hostoption now, and only one at a time can be used. Would be nice if these could automatically be added to the allowed hosts (e.g. could do a reverse DNS lookup for127.0.0.1), but would this then be susceptible to DNS rebinding?Unless we can solve the above items this is also technically a breaking change...