fix(cors): fixup #4985, allow same-origin ws requests of any domain (#…

…5142) * fix: followup of #4985, allow same-site ws requests of any domain * fix: match whole string
vuejs · Feb 4, 2020 · ce64455 · ce64455
1 parent 3ee096e
commit ce64455
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/packages/@vue/cli/lib/ui.js b/packages/@vue/cli/lib/ui.js
@@ -2,6 +2,18 @@ const { log, error, openBrowser } = require('@vue/cli-shared-utils')
 const { portfinder, server } = require('@vue/cli-ui/server')
 const shortid = require('shortid')
 
+function simpleCorsValidation (allowedHost) {
+  return function (req, socket) {
+    const { host, origin } = req.headers
+    // maybe we should just use strict string equal?
+    const hostRegExp = new RegExp(`^(${host}|${allowedHost}|localhost)(:\\d+)?$`)
+
+    if (!origin || !hostRegExp.test(origin)) {
+      socket.destroy()
+    }
+  }
+}
+
 async function ui (options = {}, context = process.cwd()) {
   const host = options.host || 'localhost'
 
@@ -69,12 +81,7 @@ async function ui (options = {}, context = process.cwd()) {
     }
   })
 
-  httpServer.on('upgrade', (req, socket) => {
-    const { origin } = req.headers
-    if (!origin || !(new RegExp(host)).test(origin)) {
-      socket.destroy()
-    }
-  })
+  httpServer.on('upgrade', simpleCorsValidation(host))
 }
 
 module.exports = (...args) => {