fix: always allow localhost in cross-origin no-cors requests by Jeston10 · Pull Request #5636 · webpack/webpack-dev-server
Implement the intended behavior to always allow localhost host for development convenience. The isHostAllowed method had a comment stating localhost should always be allowed, but the code did not implement this check. This fixes the issue where no-cors cross-site requests to localhost were incorrectly blocked with 403 Forbidden. Now localhost is always allowed regardless of allowedHosts configuration, matching the intended behavior for development environments. Fixes the cross-origin-header-check middleware blocking legitimate localhost requests from blob URLs and other cross-origin contexts. Fixes webpack#5603
AI review requested due to automatic review settings
January 25, 2026 06:33This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters