CORS localhost requests are considered invalid host and get blocked #5603
Description
Bug Description
If webpack-dev-server gets "no-cors cross-site" requests, localhost is not considered an allowed host and a 403 Forbidden is returned.
By explicitly adding allowedHosts: ['localhost'] to the webpack config, the bug is circumvented.
Link to Minimal Reproduction and step to reproduce
In the following project, an iframe is constructed from a blob HTML string. The iframe contains a script tag which refers to a resource URL which is hosted by webpack dev server.
https://github.com/RedMser/bug-webpack-dev-server-corb
See the readme in the repo for reproduction steps.
Expected Behavior
Requests to localhost should succeed, even if they originate from a "no-cors cross-site" context.
Actual Behavior
The request fails with a 403 Forbidden response.
Environment
System:
OS: Windows 11 10.0.26100
CPU: (4) x64 Intel(R) Xeon(R) Platinum 8462Y+
Memory: 2.84 GB / 19.00 GB
Binaries:
Node: 24.11.1 - C:\nvm4w\nodejs\node.EXE
npm: 11.6.2 - C:\nvm4w\nodejs\npm.CMD
Browsers:
Chrome: 141.0.7390.123
Edge: Chromium (141.0.3537.57)
Firefox: 140.5.0 - C:\Program Files\Mozilla Firefox\firefox.exe
Internet Explorer: 11.0.26100.1882
Packages:
webpack: ^5.102.1 => 5.102.1
webpack-cli: ^6.0.1 => 6.0.1
webpack-dev-server: ^5.2.2 => 5.2.2Is this a regression?
None
Last Working Version
No response
Additional Context
Responsible is the cross-origin-header-check middleware.
In particular, isValidHost calls isHostAllowed which contains following comment:
webpack-dev-server/lib/Server.js
Lines 3143 to 3145 in 3f3d124
According to this outdated comment, localhost should be always allowed, but there is no code that actually ensures this here!
isValidHost does check for localhost among other things, but validateHost == false in this particular instance.
It might be caused by the refactor in 6045b1e but I did not investigate further. This used to work in the past so it's likely a regression, let me know if more info is needed.