feat: add test/.test to server.allowedHosts/`server.cors.origin…

…` by default
vitejs · Jan 21, 2025 · 46fd0d2 · 46fd0d2
1 parent 576e87d
commit 46fd0d2
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 3 deletions.
diff --git a/docs/config/server-options.md b/docs/config/server-options.md
@@ -48,7 +48,7 @@ See [the WSL document](https://learn.microsoft.com/en-us/windows/wsl/networking#
 - **Default:** `[]`
 
 The hostnames that Vite is allowed to respond to.
-`localhost` and domains under `.localhost` and all IP addresses are allowed by default.
+`localhost`/`test` and domains under `.localhost`/`.test` and all IP addresses are allowed by default.
 When using HTTPS, this check is skipped.
 
 If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname. For example, `.example.com` will allow `example.com`, `foo.example.com`, and `foo.bar.example.com`.

diff --git a/packages/vite/src/node/__tests__/constants.spec.ts b/packages/vite/src/node/__tests__/constants.spec.ts
@@ -5,6 +5,7 @@ test('defaultAllowedOrigins', () => {
   const allowed = [
     'http://localhost',
     'http://foo.localhost',
+    'http://foo.test',
     'http://localhost:3000',
     'https://localhost:3000',
     'http://127.0.0.1',

diff --git a/packages/vite/src/node/constants.ts b/packages/vite/src/node/constants.ts
@@ -185,10 +185,11 @@ export const DEFAULT_ASSETS_INLINE_LIMIT = 4096
 
 // the regex to allow loopback address origins:
 // - localhost domains (which will always resolve to the loopback address by RFC 6761 section 6.3)
+// - test domains (which will never be registered by RFC 6761 section 6.2)
 // - 127.0.0.1
 // - ::1
 export const defaultAllowedOrigins =
-  /^https?:\/\/(?:(?:[^:]+\.)?localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/
+  /^https?:\/\/(?:(?:[^:]+\.)?(?:localhost|test)|127\.0\.0\.1|\[::1\])(?::\d+)?$/
 
 export const METADATA_FILENAME = '_metadata.json'
 

diff --git a/packages/vite/src/node/http.ts b/packages/vite/src/node/http.ts
@@ -26,7 +26,7 @@ export interface CommonServerOptions {
   host?: string | boolean
   /**
    * The hostnames that Vite is allowed to respond to.
-   * `localhost` and subdomains under `.localhost` and all IP addresses are allowed by default.
+   * `localhost`/`test` and domains under `.localhost`/`.test` and all IP addresses are allowed by default.
    * When using HTTPS, this check is skipped.
    *
    * If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname.

diff --git a/packages/vite/src/node/server/middlewares/hostCheck.ts b/packages/vite/src/node/server/middlewares/hostCheck.ts
@@ -91,6 +91,11 @@ export function isHostAllowedWithoutCache(
   if (hostname === 'localhost' || hostname.endsWith('.localhost')) {
     return true
   }
+  // allow test and .test by default as they will never be registered
+  // https://datatracker.ietf.org/doc/html/rfc6761#section-6.2
+  if (hostname === 'test' || hostname.endsWith('.test')) {
+    return true
+  }
 
   for (const additionalAllowedHost of additionalAllowedHosts) {
     if (additionalAllowedHost === hostname) {