fix: check origin header for websocket connection (#1603) · webpack/webpack-dev-server@b3217ca
@@ -630,14 +630,16 @@ Server.prototype.setContentHeaders = function (req, res, next) {
630630next();
631631};
632632633-Server.prototype.checkHost = function (headers) {
633+Server.prototype.checkHost = function (headers, headerToCheck) {
634634// allow user to opt-out this security check, at own risk
635635if (this.disableHostCheck) {
636636return true;
637637}
638+639+if (!headerToCheck) headerToCheck = 'host';
638640// get the Host header and extract hostname
639641// we don't care about port not matching
640-const hostHeader = headers.host;
642+const hostHeader = headers[headerToCheck];
641643642644if (!hostHeader) {
643645return false;
@@ -725,8 +727,8 @@ Server.prototype.listen = function (port, hostname, fn) {
725727return;
726728}
727729728-if (!this.checkHost(connection.headers)) {
729-this.sockWrite([ connection ], 'error', 'Invalid Host header');
730+if (!this.checkHost(connection.headers) || !this.checkHost(connection.headers, 'origin')) {
731+this.sockWrite([ connection ], 'error', 'Invalid Host/Origin header');
730732731733connection.close();
732734