Skip to content

feat: add test/.test to server.allowedHosts/server.cors.origin by default #19250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

feat: add test/.test to server.allowedHosts/server.cors.origin by default #19250

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
13764a3
fix: allow CORS from loopback addresses by default
sapphi-red Jan 21, 2025
aebc56a
chore: add comment
sapphi-red Jan 21, 2025
576e87d
test: add a bit more cases
sapphi-red Jan 21, 2025
46fd0d2
feat: add `test`/`.test` to `server.allowedHosts`/`server.cors.origin…
sapphi-red Jan 21, 2025
3dbd702
chore: update default value in docs
sapphi-red Jan 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/config/server-options.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ See [the WSL document](https://learn.microsoft.com/en-us/windows/wsl/networking#
- **Default:** `[]`

The hostnames that Vite is allowed to respond to.
`localhost` and domains under `.localhost` and all IP addresses are allowed by default.
`localhost`/`test` and domains under `.localhost`/`.test` and all IP addresses are allowed by default.
When using HTTPS, this check is skipped.

If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname. For example, `.example.com` will allow `example.com`, `foo.example.com`, and `foo.bar.example.com`.
Expand Down Expand Up @@ -161,7 +161,7 @@ export default defineConfig({
## server.cors

- **Type:** `boolean | CorsOptions`
- **Default:** `false`
- **Default:** `{ origin: /^https?:\/\/(?:(?:[^:]+\.)?(?:localhost|test)|127\.0\.0\.1|\[::1\])(?::\d+)?$/ }` (allows localhost, `127.0.0.1` and `::1`)

Configure CORS for the dev server. Pass an [options object](https://github.com/expressjs/cors#configuration-options) to fine tune the behavior or `true` to allow any origin.

Expand Down
33 changes: 33 additions & 0 deletions packages/vite/src/node/__tests__/constants.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
import { expect, test } from 'vitest'
import { defaultAllowedOrigins } from '../constants'

test('defaultAllowedOrigins', () => {
const allowed = [
'http://localhost',
'http://foo.localhost',
'http://foo.test',
'http://localhost:3000',
'https://localhost:3000',
'http://127.0.0.1',
'http://[::1]',
'http://[::1]:3000',
]
const denied = [
'file:///foo',
'http://localhost.example.com',
'http://foo.example.com:localhost',
'http://',
'http://192.0.2',
'http://[2001:db8::1]',
'http://vite',
'http://vite:3000',
]

for (const origin of allowed) {
expect(defaultAllowedOrigins.test(origin), origin).toBe(true)
}

for (const origin of denied) {
expect(defaultAllowedOrigins.test(origin), origin).toBe(false)
}
})
8 changes: 8 additions & 0 deletions packages/vite/src/node/constants.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,14 @@ export const DEFAULT_PREVIEW_PORT = 4173

export const DEFAULT_ASSETS_INLINE_LIMIT = 4096

// the regex to allow loopback address origins:
// - localhost domains (which will always resolve to the loopback address by RFC 6761 section 6.3)
// - test domains (which will never be registered by RFC 6761 section 6.2)
// - 127.0.0.1
// - ::1
export const defaultAllowedOrigins =
/^https?:\/\/(?:(?:[^:]+\.)?(?:localhost|test)|127\.0\.0\.1|\[::1\])(?::\d+)?$/

export const METADATA_FILENAME = '_metadata.json'

export const ERR_OPTIMIZE_DEPS_PROCESSING_ERROR =
Expand Down
2 changes: 1 addition & 1 deletion packages/vite/src/node/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ export interface CommonServerOptions {
host?: string | boolean
/**
* The hostnames that Vite is allowed to respond to.
* `localhost` and subdomains under `.localhost` and all IP addresses are allowed by default.
* `localhost`/`test` and domains under `.localhost`/`.test` and all IP addresses are allowed by default.
* When using HTTPS, this check is skipped.
*
* If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname.
Expand Down
8 changes: 6 additions & 2 deletions packages/vite/src/node/server/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,11 @@ import { reloadOnTsconfigChange } from '../plugins/esbuild'
import { bindCLIShortcuts } from '../shortcuts'
import type { BindCLIShortcutsOptions } from '../shortcuts'
import { ERR_OUTDATED_OPTIMIZED_DEP } from '../../shared/constants'
import { CLIENT_DIR, DEFAULT_DEV_PORT } from '../constants'
import {
CLIENT_DIR,
DEFAULT_DEV_PORT,
defaultAllowedOrigins,
} from '../constants'
import type { Logger } from '../logger'
import { printServerUrls } from '../logger'
import { warnFutureDeprecation } from '../deprecations'
Expand Down Expand Up @@ -1055,7 +1059,7 @@ export const serverConfigDefaults = Object.freeze({
https: undefined,
open: false,
proxy: undefined,
cors: false,
cors: { origin: defaultAllowedOrigins },
headers: {},
// hmr
// ws
Expand Down
5 changes: 5 additions & 0 deletions packages/vite/src/node/server/middlewares/hostCheck.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,11 @@ export function isHostAllowedWithoutCache(
if (hostname === 'localhost' || hostname.endsWith('.localhost')) {
return true
}
// allow test and .test by default as they will never be registered
// https://datatracker.ietf.org/doc/html/rfc6761#section-6.2
if (hostname === 'test' || hostname.endsWith('.test')) {
return true
}
Comment on lines +94 to +98
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the test domain name / hostname, the document mentions:

  1. Application software SHOULD NOT recognize test names as special,
    and SHOULD use test names as they would other domain names.

Should we not handle the test hostname in that case?

For TLDs I think it's fine since it doesn't mention anything like that https://datatracker.ietf.org/doc/rfc2606/

Copy link
Member Author

@sapphi-red sapphi-red Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that sentence is meant to include both test and *.tests. So I think we should include both test / *.test or not include both.

The domain "test.", and any names falling within ".test.", are special in the following ways:

(FYI the last dot of test./.test. is to clarify that it's the last item)

Copy link
Member Author

@sapphi-red sapphi-red Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should not add .test anyway as trusting the (cache) DNS server does not necessarily mean you can trust the IPs listed in that DNS server.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Then I guess technically it discourages treating test TLDs differently, so I think I'm somewhat leaning on not adding .test as a special case 🤔

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should not add .test anyway as trusting the (cache) DNS server does not necessarily mean you can trust the IPs listed in that DNS server.

I don't quite understand this reasoning. You would never hit a public (potentially malicious) site under the .test TLD, so a remote attacker could never change DNS resolving of such a domain. Do you mean there is no built-in security on any modern system that prevents local DNS cache from containing (injected) .test domains? (don't know, thought the system would be responsible of ensuring this)

Copy link
Member Author

@sapphi-red sapphi-red Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's say there's an internal DNS server and you and your team all uses that DNS server. Then, a member of your team added foo.test that points to some IP. You know that the DNS server would not fool you, but don't know whether the IP foo.test is pointing is trustable. In most cases, you would never add a DNS record that points to an IP that you don't hold, but you can point to an IP you don't have control of.
You may say that you should never put an IP you don't control, but it's not enforced by something, and there maybe a user that is using .test like that.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's say there's an internal DNS server and you and your team all uses that DNS server. Then, a member of your team added foo.test that points to some IP. (...)

Thanks for explanation. I just thought there would be system level safeguards that would prevent any modern system from ever resolving the .test domain via DNS. But I am probably asking for too much here and we cannot count on such (potential) system level implementations, and anyway that would be against the rfc6761 Application software SHOULD NOT recognize test names as special principle.


for (const additionalAllowedHost of additionalAllowedHosts) {
if (additionalAllowedHost === hostname) {
Expand Down
Loading