Limit Mockttp standalone server access to the same origins as the HTK server

Author: pimterry

src/httptoolkit-server.ts

@@ -6,7 +6,7 @@ import { GraphQLScalarType } from 'graphql';
 import { HtkConfig } from './config';
 import { reportError } from './error-tracking';
 import { buildInterceptors, Interceptor } from './interceptors';
-import { IS_PROD_BUILD } from './util';
+import { ALLOWED_ORIGINS } from './util';
 
 const packageJson = require('../package.json');
 
@@ -160,26 +160,7 @@ export class HttpToolkitServer extends events.EventEmitter {
             // and override the port from 4000 to something less likely to conflict.
             port: { port: 45457, host: 'localhost' },
             playground: false,
-            cors: {
-                origin: IS_PROD_BUILD
-                    ? [
-                        // Prod builds only allow HTTPS app.httptoolkit.tech usage. This
-                        // ensures that no other sites/apps can communicate with your server
-                        // whilst you have the app open. If they could (requires an HTTP mitm),
-                        // they would be able to start proxies & interceptors. It's not remote
-                        // execution, but it's definitely not desirable.
-                        /^https:\/\/app\.httptoolkit\.tech$/
-                    ]
-                    : [
-                        // Dev builds can use the main site, or local sites, even if those
-                        // use HTTP. Note that HTTP here could technically open you to the risk
-                        // above, but it'd require a DNS MitM too (to stop local.httptoolkit.tech
-                        // resolving to localhost and never hitting the network).
-                        /^https?:\/\/localhost(:\d+)?$/,
-                        /^http:\/\/local\.httptoolkit\.tech(:\d+)?$/,
-                        /^https:\/\/app\.httptoolkit\.tech$/
-                    ]
-            }
+            cors: { origin: ALLOWED_ORIGINS }
         });
     }
 };

src/index.ts

@@ -10,7 +10,7 @@ import updateCommand from '@oclif/plugin-update/lib/commands/update';
 import { HttpToolkitServer } from './httptoolkit-server';
 import { checkBrowserConfig } from './browsers';
 import { reportError } from './error-tracking';
-import { delay } from './util';
+import { delay, ALLOWED_ORIGINS } from './util';
 
 const canAccess = util.promisify(fs.access);
 const mkDir = util.promisify(fs.mkdir);
@@ -67,7 +67,8 @@ export async function runHTK(options: {
         serverDefaults: {
             cors: false,
             https: httpsConfig
-        }
+        },
+        corsOptions: { origin: ALLOWED_ORIGINS }
     });
     standalone.start({
         port: 45456,

src/util.ts

@@ -2,4 +2,23 @@ export function delay(durationMs: number): Promise<void> {
     return new Promise((resolve) => setTimeout(resolve, durationMs));
 }
 
-export const IS_PROD_BUILD = !!process.env.HTTPTOOLKIT_SERVER_BINPATH;
+export const IS_PROD_BUILD = !!process.env.HTTPTOOLKIT_SERVER_BINPATH;
+
+export const ALLOWED_ORIGINS = IS_PROD_BUILD
+    ? [
+        // Prod builds only allow HTTPS app.httptoolkit.tech usage. This
+        // ensures that no other sites/apps can communicate with your server
+        // whilst you have the app open. If they could (requires an HTTP mitm),
+        // they would be able to start proxies & interceptors. It's not remote
+        // execution, but it's definitely not desirable.
+        /^https:\/\/app\.httptoolkit\.tech$/
+    ]
+    : [
+        // Dev builds can use the main site, or local sites, even if those
+        // use HTTP. Note that HTTP here could technically open you to the risk
+        // above, but it'd require a DNS MitM too (to stop local.httptoolkit.tech
+        // resolving to localhost and never hitting the network).
+        /^https?:\/\/localhost(:\d+)?$/,
+        /^http:\/\/local\.httptoolkit\.tech(:\d+)?$/,
+        /^https:\/\/app\.httptoolkit\.tech$/
+    ]