Skip to content

Support multiple domains for Access-Control-Allow-Origin header #964

Closed
@naganowl

Description

@naganowl

Do you want to request a feature or report a bug?

Feature

What is the current behavior?
The Access-Control-Allow-Origin header supports a single domain

What is the expected behavior?
The Access-Control-Allow-Origin header should support multiple domains

If this is a feature request, what is motivation or use case for changing the behavior?
Per the security fix (#887) it was recommended that Access-Control-Allow-Origin: * shouldn't be set (https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a#e801). The validation schema for the headers expects a string (

) which is set as is without any parsing (
res.setHeader(name, this.headers[name]);
).

In a similar vein to #899, there could be some parsing involved to allow for multiple domains to be specified to respect the DNS rebinding attack fix but provide flexibility in the form of a whitelist of domains that could be used.

Please mention your webpack and Operating System version.
webpack: 2.5.0
webpack-dev-server: 2.5.0
OS: Mac OS 10.12.3

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions