From a1a542278bd9ea08876afaffac7d17d3e6359109 Mon Sep 17 00:00:00 2001
From: DeMoorJasper <jasperdemoor@gmail.com>
Date: Wed, 25 Jul 2018 10:02:19 -0700
Subject: [PATCH] fix security vuln

---
 src/HMRServer.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/HMRServer.js b/src/HMRServer.js
index ed62cba146d..75ec8584c69 100644
--- a/src/HMRServer.js
+++ b/src/HMRServer.js
@@ -17,7 +17,17 @@ class HMRServer {
         this.server = https.createServer(await getCertificate(options.https));
       }
 
-      this.wss = new WebSocket.Server({server: this.server});
+      let websocketOptions = {
+        server: this.server
+      };
+
+      if (options.hmrHostname) {
+        websocketOptions.origin = `${options.https ? 'https' : 'http'}://${
+          options.hmrHostname
+        }`;
+      }
+
+      this.wss = new WebSocket.Server(websocketOptions);
       this.server.listen(options.hmrPort, resolve);
     });