From 913585e20bc3d6b875a2454dda121561a23e6adf Mon Sep 17 00:00:00 2001
From: Haoqun Jiang <haoqunjiang@gmail.com>
Date: Tue, 4 Feb 2020 22:51:06 +0800
Subject: [PATCH] fix(cors): fixup #4985, allow same-origin ws requests of any
 domain (#5142)

* fix: followup of #4985, allow same-site ws requests of any domain

* fix: match whole string
---
 packages/@vue/cli/lib/ui.js | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/packages/@vue/cli/lib/ui.js b/packages/@vue/cli/lib/ui.js
index e5a2180183..88c1aedc6a 100644
--- a/packages/@vue/cli/lib/ui.js
+++ b/packages/@vue/cli/lib/ui.js
@@ -2,6 +2,18 @@ const { log, error, openBrowser } = require('@vue/cli-shared-utils')
 const { portfinder, server } = require('@vue/cli-ui/server')
 const shortid = require('shortid')
 
+function simpleCorsValidation (allowedHost) {
+  return function (req, socket) {
+    const { host, origin } = req.headers
+    // maybe we should just use strict string equal?
+    const hostRegExp = new RegExp(`^(${host}|${allowedHost}|localhost)(:\\d+)?$`)
+
+    if (!origin || !hostRegExp.test(origin)) {
+      socket.destroy()
+    }
+  }
+}
+
 async function ui (options = {}, context = process.cwd()) {
   const host = options.host || 'localhost'
 
@@ -69,12 +81,7 @@ async function ui (options = {}, context = process.cwd()) {
     }
   })
 
-  httpServer.on('upgrade', (req, socket) => {
-    const { origin } = req.headers
-    if (!origin || !(new RegExp(host)).test(origin)) {
-      socket.destroy()
-    }
-  })
+  httpServer.on('upgrade', simpleCorsValidation(host))
 }
 
 module.exports = (...args) => {