fix(vite,webpack): restrict access via cors to local origins + allow configuration via devServer.cors

2025-01-30 23:32:38 +00:00 · 2025-01-24 16:37:27 +00:00 · 2025-01-24 16:37:27 +00:00 · 406db5b4d2
commit 406db5b4d2
parent 94ba2ea0b6
3 changed files with 22 additions and 7 deletions
--- a/packages/schema/src/config/dev.ts
+++ b/packages/schema/src/config/dev.ts
@ -39,5 +39,13 @@ export default defineUntypedSchema({
     * @type {(data: { loading?: string }) => string}
     */
    loadingTemplate,
+
+    /**
+     * Set CORS options for the dev server
+     * @type {typeof import('h3').H3CorsOptions}
+     */
+    cors: {
+      origin: [/^https?:\/\/(?:(?:[^:]+\.)?localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/],
+    },
  },
 })
--- a/packages/vite/src/client.ts
+++ b/packages/vite/src/client.ts
@ -9,7 +9,7 @@ import { getPort } from 'get-port-please'
 import { joinURL, withoutLeadingSlash } from 'ufo'
 import { defu } from 'defu'
 import { env, nodeless } from 'unenv'
-import { appendCorsHeaders, appendCorsPreflightHeaders, defineEventHandler } from 'h3'
+import { defineEventHandler, handleCors, setHeader } from 'h3'
 import type { ViteConfig } from '@nuxt/schema'
 import type { ViteBuildContext } from './vite'
 import { devStyleSSRPlugin } from './plugins/dev-ssr-css'
@ -255,11 +255,11 @@ export async function buildClient (ctx: ViteBuildContext) {
        // @ts-expect-error _skip_transform is a private property
        event.node.req._skip_transform = true
      } else if (!useViteCors) {
-        if (event.method === 'OPTIONS') {
-          appendCorsPreflightHeaders(event, {})
+        const isPreflight = handleCors(event, ctx.nuxt.options.devServer.cors)
+        if (isPreflight) {
          return null
        }
-        appendCorsHeaders(event, {})
+        setHeader(event, 'Vary', 'Origin')
      }

      // Workaround: vite devmiddleware modifies req.url
--- a/packages/webpack/src/webpack.ts
+++ b/packages/webpack/src/webpack.ts
@ -1,5 +1,6 @@
 import pify from 'pify'
-import { defineEventHandler, fromNodeMiddleware } from 'h3'
+import { defineEventHandler, fromNodeMiddleware, handleCors, setHeader } from 'h3'
+import type { H3CorsOptions } from 'h3'
 import type { IncomingMessage, MultiWatching, ServerResponse } from 'webpack-dev-middleware'
 import webpackDevMiddleware from 'webpack-dev-middleware'
 import webpackHotMiddleware from 'webpack-hot-middleware'
@ -100,7 +101,7 @@ async function createDevMiddleware (compiler: Compiler) {
  })

  // Register devMiddleware on server
-  const devHandler = wdmToH3Handler(devMiddleware)
+  const devHandler = wdmToH3Handler(devMiddleware, nuxt.options.devServer.cors)
  const hotHandler = fromNodeMiddleware(hotMiddleware)
  await nuxt.callHook('server:devHandler', defineEventHandler(async (event) => {
    const body = await devHandler(event)
@ -114,8 +115,14 @@ async function createDevMiddleware (compiler: Compiler) {
 }

 // TODO: implement upstream in `webpack-dev-middleware`
-function wdmToH3Handler (devMiddleware: webpackDevMiddleware.API<IncomingMessage, ServerResponse>) {
+function wdmToH3Handler (devMiddleware: webpackDevMiddleware.API<IncomingMessage, ServerResponse>, corsOptions: H3CorsOptions) {
  return defineEventHandler(async (event) => {
+    const isPreflight = handleCors(event, corsOptions)
+    if (isPreflight) {
+      return null
+    }
+    setHeader(event, 'Vary', 'Origin')
+
    event.context.webpack = {
      ...event.context.webpack,
      devMiddleware: devMiddleware.context,