Tighten up CORS to ensure MitM HTTP isn't enough to start an interceptor

Author: pimterry

src/error-tracking.ts

@@ -1,12 +1,13 @@
 import * as Sentry from '@sentry/node';
+import { IS_PROD_BUILD } from './util';
 
 let sentryInitialized = false;
 
 export function initErrorTracking() {
     const packageJson = require('../package.json');
 
     let { SENTRY_DSN } = process.env;
-    if (!SENTRY_DSN && process.env.HTTPTOOLKIT_SERVER_BINPATH) {
+    if (!SENTRY_DSN && IS_PROD_BUILD) {
         // If we're a built binary, use the standard DSN automatically
         SENTRY_DSN = 'https://[email protected]/1371158';
     }

src/httptoolkit-server.ts

@@ -6,6 +6,7 @@ import { GraphQLScalarType } from 'graphql';
 import { HtkConfig } from './config';
 import { reportError } from './error-tracking';
 import { buildInterceptors, Interceptor } from './interceptors';
+import { IS_PROD_BUILD } from './util';
 
 const packageJson = require('../package.json');
 
@@ -160,10 +161,24 @@ export class HttpToolkitServer extends events.EventEmitter {
             port: { port: 45457, host: 'localhost' },
             playground: false,
             cors: {
-                origin: [
-                    /https?:\/\/localhost(:\d+)?$/,
-                    /\.httptoolkit\.tech(:\d+)?$/
-                ]
+                origin: IS_PROD_BUILD
+                    ? [
+                        // Prod builds only allow HTTPS app.httptoolkit.tech usage. This
+                        // ensures that no other sites/apps can communicate with your server
+                        // whilst you have the app open. If they could (requires an HTTP mitm),
+                        // they would be able to start proxies & interceptors. It's not remote
+                        // execution, but it's definitely not desirable.
+                        /^https:\/\/app\.httptoolkit\.tech$/
+                    ]
+                    : [
+                        // Dev builds can use the main site, or local sites, even if those
+                        // use HTTP. Note that HTTP here could technically open you to the risk
+                        // above, but it'd require a DNS MitM too (to stop local.httptoolkit.tech
+                        // resolving to localhost and never hitting the network).
+                        /^https?:\/\/localhost(:\d+)?$/,
+                        /^http:\/\/local\.httptoolkit\.tech(:\d+)?$/,
+                        /^https:\/\/app\.httptoolkit\.tech$/
+                    ]
             }
         });
     }

src/interceptors/fresh-chrome.ts

@@ -1,6 +1,5 @@
 import { promisify } from 'util';
 import * as fs from 'fs';
-import * as path from 'path';
 
 import * as _ from 'lodash';
 import { generateSPKIFingerprint } from 'mockttp';

src/util.ts

@@ -1,3 +1,5 @@
 export function delay(durationMs: number): Promise<void> {
     return new Promise((resolve) => setTimeout(resolve, durationMs));
-}
+}
+
+export const IS_PROD_BUILD = !!process.env.HTTPTOOLKIT_SERVER_BINPATH;