webpack-dev-server icon indicating copy to clipboard operation
webpack-dev-server copied to clipboard
verified publisher icon webpack

CORS localhost requests are considered invalid host and get blocked

Open RedMser opened this issue 1 month ago • 2 comments

Bug Description

If webpack-dev-server gets "no-cors cross-site" requests, localhost is not considered an allowed host and a 403 Forbidden is returned.

By explicitly adding allowedHosts: ['localhost'] to the webpack config, the bug is circumvented.

Link to Minimal Reproduction and step to reproduce

In the following project, an iframe is constructed from a blob HTML string. The iframe contains a script tag which refers to a resource URL which is hosted by webpack dev server.

https://github.com/RedMser/bug-webpack-dev-server-corb

See the readme in the repo for reproduction steps.

Expected Behavior

Requests to localhost should succeed, even if they originate from a "no-cors cross-site" context.

Actual Behavior

The request fails with a 403 Forbidden response.

Image

Environment

System:
    OS: Windows 11 10.0.26100
    CPU: (4) x64 Intel(R) Xeon(R) Platinum 8462Y+
    Memory: 2.84 GB / 19.00 GB
  Binaries:
    Node: 24.11.1 - C:\nvm4w\nodejs\node.EXE
    npm: 11.6.2 - C:\nvm4w\nodejs\npm.CMD
  Browsers:
    Chrome: 141.0.7390.123
    Edge: Chromium (141.0.3537.57)
    Firefox: 140.5.0 - C:\Program Files\Mozilla Firefox\firefox.exe
    Internet Explorer: 11.0.26100.1882
  Packages:
    webpack: ^5.102.1 => 5.102.1
    webpack-cli: ^6.0.1 => 6.0.1
    webpack-dev-server: ^5.2.2 => 5.2.2

Is this a regression?

None

Last Working Version

No response

Additional Context

Responsible is the cross-origin-header-check middleware. In particular, isValidHost calls isHostAllowed which contains following comment:

https://github.com/webpack/webpack-dev-server/blob/3f3d124bc656197d83a57a422792d80d25137c49/lib/Server.js#L3143-L3145

According to this outdated comment, localhost should be always allowed, but there is no code that actually ensures this here! isValidHost does check for localhost among other things, but validateHost == false in this particular instance.

It might be caused by the refactor in 6045b1e9d63078fb24cac52eb361b7356944cddd but I did not investigate further. This used to work in the past so it's likely a regression, let me know if more info is needed.

RedMser avatar Nov 12 '25 17:11 RedMser

Hey I want to work on this issue can you assign it to me?

shubham220420 avatar Nov 12 '25 18:11 shubham220420

@RedMser We should fix commens and you should use allowedHosts: "all" or provide real hosts, that is expected to prevent - https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v and https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h

alexander-akait avatar Nov 12 '25 18:11 alexander-akait