@@ -6,6 +6,7 @@ import { GraphQLScalarType } from 'graphql';
66import { HtkConfig } from './config' ;
77import { reportError } from './error-tracking' ;
88import { buildInterceptors , Interceptor } from './interceptors' ;
9+ import { IS_PROD_BUILD } from './util' ;
910
1011const packageJson = require ( '../package.json' ) ;
1112
@@ -160,10 +161,24 @@ export class HttpToolkitServer extends events.EventEmitter {
160161 port : { port : 45457 , host : 'localhost' } ,
161162 playground : false ,
162163 cors : {
163- origin : [
164- / h t t p s ? : \/ \/ l o c a l h o s t ( : \d + ) ? $ / ,
165- / \. h t t p t o o l k i t \. t e c h ( : \d + ) ? $ /
166- ]
164+ origin : IS_PROD_BUILD
165+ ? [
166+ // Prod builds only allow HTTPS app.httptoolkit.tech usage. This
167+ // ensures that no other sites/apps can communicate with your server
168+ // whilst you have the app open. If they could (requires an HTTP mitm),
169+ // they would be able to start proxies & interceptors. It's not remote
170+ // execution, but it's definitely not desirable.
171+ / ^ h t t p s : \/ \/ a p p \. h t t p t o o l k i t \. t e c h $ /
172+ ]
173+ : [
174+ // Dev builds can use the main site, or local sites, even if those
175+ // use HTTP. Note that HTTP here could technically open you to the risk
176+ // above, but it'd require a DNS MitM too (to stop local.httptoolkit.tech
177+ // resolving to localhost and never hitting the network).
178+ / ^ h t t p s ? : \/ \/ l o c a l h o s t ( : \d + ) ? $ / ,
179+ / ^ h t t p : \/ \/ l o c a l \. h t t p t o o l k i t \. t e c h ( : \d + ) ? $ / ,
180+ / ^ h t t p s : \/ \/ a p p \. h t t p t o o l k i t \. t e c h $ /
181+ ]
167182 }
168183 } ) ;
169184 }
0 commit comments