-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(CORS): only allow connections from the designated host #4985
Conversation
I'm not sure if I was testing it incorrectly, but as far as I tried out, this change seems does not prevent other domains from accessing the GraphQL interface. |
I tested this by running another instance of the |
Got it. The It's because
|
Good catch! |
I got it fixed locally, by adding the following lines in httpServer.on('upgrade', (req, socket) => {
const { origin } = req.headers
if (!origin || !/https?:\/\/localhost/.test(origin)) {
socket.destroy()
}
}) But since the |
I've migrated to a custom version of the Should check it again after the apollo plugin adds the needed API. |
* fix(cors): only allow localhost * fix: use host so it's configurable * fix: use cors options object * feat: use a custom graphql-server instead of the one from apollo plugin exports the httpServer instance * fix: add CORS validation in the http upgrade request Co-authored-by: Haoqun Jiang <haoqunjiang@gmail.com>
…ain (vuejs#5142) * fix: followup of vuejs#4985, allow same-site ws requests of any domain * fix: match whole string
What kind of change does this PR introduce? (check at least one)
Does this PR introduce a breaking change? (check one)
Other information:
For security reasons, only allow connection from localhost.