Description
Do you want to request a feature or report a bug?
Feature
What is the current behavior?
The Access-Control-Allow-Origin
header supports a single domain
What is the expected behavior?
The Access-Control-Allow-Origin
header should support multiple domains
If this is a feature request, what is motivation or use case for changing the behavior?
Per the security fix (#887) it was recommended that Access-Control-Allow-Origin: *
shouldn't be set (https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a#e801). The validation schema for the headers expects a string (
webpack-dev-server/lib/optionsSchema.json
Line 68 in bbcdca7
webpack-dev-server/lib/Server.js
Line 426 in bbcdca7
In a similar vein to #899, there could be some parsing involved to allow for multiple domains to be specified to respect the DNS rebinding attack fix but provide flexibility in the form of a whitelist of domains that could be used.
Please mention your webpack and Operating System version.
webpack: 2.5.0
webpack-dev-server: 2.5.0
OS: Mac OS 10.12.3