Skip to content

fix: improved hostname validation logic in Server.js #5627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
VeerRaj-007 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: improved hostname validation logic in Server.js #5627

VeerRaj-007 wants to merge 2 commits into from
+34 −9

Conversation

@VeerRaj-007
Copy link
Contributor

@VeerRaj-007 VeerRaj-007 commented Jan 12, 2026
edited
Loading

This PR fixes an issue in isValidHost where setting the devServer.host option could unintentionally block otherwise valid hostnames.

Currently, when validateHost is true, the code combines IP checks, localhost checks, and this.options.host into a single expression. This makes the logic harder to reason about and causes unexpected rejections when a custom host is configured.

This change makes the behavior explicit and correct:

  • Always allow:

    • IPv4 and IPv6 addresses

    • localhost and *.localhost

  • Only allow this.options.host when validateHost is enabled

This preserves the existing security model while fixing cases where valid requests were rejected when using a custom host.

Why this is needed

When users configure devServer.host, they expect it to be accepted consistently. The previous logic could cause valid requests to be rejected depending on validateHost, which is confusing and not intended behavior.

This change aligns the implementation with the documented behavior and avoids unexpected host blocking.

Fixes #5603

@alexander-akait
Copy link
Member

alexander-akait commented Jan 12, 2026

Sorry, I don't understand what you fixed here

@VeerRaj-007
Copy link
Contributor Author

VeerRaj-007 commented Jan 12, 2026
edited
Loading

The bug happens only for no-cors cross-site requests.
In that code path isValidHost() is called with validateHost = false, which causes this line to always return false:

const isValidHostname = validateHost ? (...) : false;

That means even localhost and 127.0.0.1 are rejected and a 403 is returned, even though the comment above says they should always be allowed.

My change makes the behavior match the comment:

  • IPv4, IPv6, localhost, and *.localhost are always allowed

  • this.options.host is only allowed when validateHost === true

So no-cors requests from localhost now work without requiring allowedHosts: ['localhost'], restoring the old behavior and fixing #5603.

@alexander-akait
Copy link
Member

alexander-akait commented Jan 12, 2026

Please add a test case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CORS localhost requests are considered invalid host and get blocked

2 participants

@VeerRaj-007 @alexander-akait