Fix server hostname deny feature

It appears that this feature, originally added in #1260, never worked correctly. When the request hostname does not match the user-provided opts.hostname value, we should stop processing the request and return nothing. Instead, what was happening was that we'd simply omit the Access-Control-Allow-Origin header, which is not sufficient since the whole point of DNS rebinding attacks is that they appear same origin and therefore don't require a CORS header.
webtorrent · feross · Jul 30, 2019 · Jul 30, 2019 · Jul 30, 2019 · 30adf6a19b50b6e013c8ad9532c7e59d349df461
commit 30adf6a19b50b6e013c8ad9532c7e59d349df461
diff --git a/lib/server.js b/lib/server.js
@@ -54,13 +54,6 @@ function Server (torrent, opts = {}) {
     // deny them
     if (req.headers.origin == null) return false
 
-    // If a 'hostname' string is specified, deny requests with a 'Host'
-    // header that does not match the origin of the torrent server to prevent
-    // DNS rebinding attacks.
-    if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) {
-      return false
-    }
-
     // The user allowed all origins
     if (opts.origin === '*') return true
 
@@ -77,6 +70,13 @@ function Server (torrent, opts = {}) {
   }
 
   function onRequest (req, res) {
+    // If a 'hostname' string is specified, deny requests with a 'Host'
+    // header that does not match the origin of the torrent server to prevent
+    // DNS rebinding attacks.
+    if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) {
+      return req.destroy()
+    }
+
     const pathname = new URL(req.url, 'http://example.com').pathname
 
     if (pathname === '/favicon.ico') {