Support multiple domains for `Access-Control-Allow-Origin` header

[naganowl]

Do you want to request a feature or report a bug?

Feature

What is the current behavior?
The Access-Control-Allow-Origin header supports a single domain

What is the expected behavior?
The Access-Control-Allow-Origin header should support multiple domains

If this is a feature request, what is motivation or use case for changing the behavior?
Per the security fix (#887) it was recommended that Access-Control-Allow-Origin: * shouldn't be set (https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a#e801). The validation schema for the headers expects a string (

webpack-dev-server/lib/optionsSchema.json

Line 68 in bbcdca7

"type": "string"

) which is set as is without any parsing (

webpack-dev-server/lib/Server.js

Line 426 in bbcdca7

res.setHeader(name, this.headers[name]);

).

In a similar vein to #899, there could be some parsing involved to allow for multiple domains to be specified to respect the DNS rebinding attack fix but provide flexibility in the form of a whitelist of domains that could be used.

Please mention your webpack and Operating System version.
webpack: 2.5.0
webpack-dev-server: 2.5.0
OS: Mac OS 10.12.3

[shellscape]

We'd happily review a PR to resolve this.

[PrimeTimeTran]

I'd really like to see this too, I think. lol =)

[shellscape]

@naganowl this ticket is stale at 60+ days and will be closed if there's no response from the community. last chance to weigh in 😅

[naganowl]

This is still an issue and looks like there was interest in having it resolved. I don't have bandwidth to tackle this and understand if it's to be closed per guidelines.

That said, I do think it's an important piece of information that can benefit others in the future to know about.

[shellscape]

That said, I do think it's an important piece of information that can benefit others in the future to know about.

Agreed. And that's why even closed issues remain searchable and an invaluable resource.

This is certainly a nice to have, but there doesn't seem to be a large amount of interest that would move this to a high priority. We'll give it another week to see if anyone steps up to the plate ⚾️

[refactornator]

There is a similar issue with setting cookies as headers. I need to set 2 cookies on the header, and using a previous release I was able to do it with this syntax:

devServer: {
    headers: {
        "Set-Cookie": ["first_key=first_value", "second_key=second_value"]
    }
}

But, when I start up the dev server on the newest release I get the following validation error:

Invalid configuration object. webpack-dev-server has been initialised using a configuration object that does not match the API schema.
 - configuration.headers['Set-Cookie'] should be a string.

I believe the validation is wrong, and it should support strings or arrays. I removed the validation locally and the server works because the 'http' module supports this array syntax without any other modification. This issue with cookies is just like the issue with 'Access-Control-Allow-Origin'. Can we remove the string validation for the headers property?

[refactornator]

I submitted a PR for removing this validation: #1115

[shellscape]

Closed in #1115