MCPcopy
hub / github.com/webpack/webpack-dev-server / isSameOrigin

Method isSameOrigin

lib/Server.js:3245–3303  ·  view source on GitHub ↗

* @private * @param {{ [key: string]: string | undefined }} headers headers * @returns {boolean} true when is same origin, otherwise false

(headers)

Source from the content-addressed store, hash-verified

3243 * @returns {boolean} true when is same origin, otherwise false
3244 */
3245 isSameOrigin(headers) {
3246 if (this.options.allowedHosts === "all") {
3247 return true;
3248 }
3249
3250 const originHeader = headers.origin;
3251
3252 if (!originHeader) {
3253 return this.options.allowedHosts === "all";
3254 }
3255
3256 if (DEFAULT_ALLOWED_PROTOCOLS.test(originHeader)) {
3257 return true;
3258 }
3259
3260 const origin = this.#parseHostnameFromHeader(originHeader);
3261
3262 if (origin === null) {
3263 return false;
3264 }
3265
3266 if (this.isHostAllowed(origin)) {
3267 return true;
3268 }
3269
3270 const hostHeader = headers.host;
3271
3272 if (!hostHeader) {
3273 return this.options.allowedHosts === "all";
3274 }
3275
3276 if (DEFAULT_ALLOWED_PROTOCOLS.test(hostHeader)) {
3277 return true;
3278 }
3279
3280 const host = this.#parseHostnameFromHeader(hostHeader);
3281
3282 if (host === null) {
3283 return false;
3284 }
3285
3286 if (this.isHostAllowed(host)) {
3287 return true;
3288 }
3289
3290 // Treat all loopback aliases as equivalent: localhost may resolve to
3291 // 127.0.0.1 or ::1 depending on the OS, causing a false mismatch.
3292 // Only widen when allowedHosts is "auto" (default) or already permits a
3293 // loopback alias, so an explicit allow-list excluding loopback is honored.
3294 const loopbacks = new Set(["localhost", "127.0.0.1", "::1"]);
3295 const loopbackPermitted =
3296 this.options.allowedHosts === "auto" ||
3297 [...loopbacks].some((alias) => this.isHostAllowed(alias));
3298 if (loopbacks.has(origin) && loopbacks.has(host) && loopbackPermitted) {
3299 return true;
3300 }
3301
3302 return origin === host;

Callers 3

createWebSocketServerMethod · 0.95
#isSameOriginRequestMethod · 0.95

Calls 1

isHostAllowedMethod · 0.95

Tested by

no test coverage detected