feat: add new allowedHosts option
#13278
Conversation
🦋 Changeset detectedLatest commit: 4e03d68 The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
github-actions
bot
added
pkg: astro
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
ematipico
force-pushed
the
feat/add-allowed-hosts
branch
from
7e674ad to
84d8fcf
Compare
CodSpeed Performance ReportMerging #13278 will not alter performanceComparing Summary
|
astro
@astrojs/cloudflare
@astrojs/netlify
@astrojs/node
@astrojs/vercel
commit: |
Co-authored-by: Armand Philippot <[email protected]>
ematipico
added
- P1: chore
ematipico
added
- P1: chore
ematipico
added
- P1: chore
| * @version 5.4.0 | ||
| * @description | ||
| * | ||
| * A list of hostnames that Astro is allowed to respond to. When the value is set to `true`, any |
There was a problem hiding this comment.
Description looks great!
I noticed that Vite's documentation includes multiple warnings (which hosts can I trust? using true is dangerous and we suggest you don't do it...) Do we feel the need for any of that here?
Otherwise assuming it renders fine in preview, looks good to me!
There was a problem hiding this comment.
I am a bit conflicted, so I leave the decision to you. My idea was to defer the more "in-depth" description to vite, but happy to change it. Let me know
Co-authored-by: Sarah Rainsberger <[email protected]>
|
|
||
| Adds a new configuration option `server.allowedHosts` and CLI option `--allowed-hosts`. | ||
|
|
||
| Now you can specify the hostnames that the dev and preview servers are allowed to respond to. This is useful for... |
There was a problem hiding this comment.
You're pulling a Matthew and not filling in the blank, @ematipico !! 😂
I think we can put the extra note here in the changelog. If you can fill in the blank, I think it would be a useful addition:
This is useful for/when...
(I just made up a couple of things that might not be the right way of saying it. I just know that I needed to add Gitpod to my allowed list in order to run the dev server this weekend, so that's for sure one use case.)
| Now you can specify the hostnames that the dev and preview servers are allowed to respond to. This is useful for... | |
| Now you can specify the hostnames that the dev and preview servers are allowed to respond to. This is useful for allowing additional subdomains, or running the dev server in a web container. | |
| `allowedHosts` checks the Host header on HTTP requests from browsers and if it doesn't match, it will reject the request to prevent CSRF and XSS attacks. |
Changes
Closes #13060
This PR adds a new
allowedHostsand--allowed-hostsoptions.This options isn't passed to the node adapter yet, we will have to figure out how to use it in the preview server.
Testing
I don't know how to test this functionality, help would be appreciated.
Docs
Will send a PR