[PR #278] [MERGED] fix: validate request origin in dev server before Vite serves content #437

New issue

Closed

opened 2026-05-06 12:39:48 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:48 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/278
Author: @southpolesteve
Created: 3/6/2026
Status: ✅ Merged
Merged: 3/6/2026
Merged by: @southpolesteve

Base: main ← Head: fix/dev-server-request-validation

📝 Commits (2)

1982b0e fix: validate request origin in dev server before Vite serves content
ee3eef5 refactor: use shared validateDevRequest() in pre-Vite middleware

📊 Changes

3 files changed (+204 additions, -4 deletions)

View changed files

📝 packages/vinext/src/index.ts (+41 -4)
📝 tests/app-router.test.ts (+82 -0)
📝 tests/pages-router.test.ts (+81 -0)

📄 Description

Summary

Register the dev server origin check middleware directly in the configureServer body so it runs before Vite's built-in file-serving middleware. Previously, all request handling was registered in the returned function (post-middleware position), meaning Vite's internal middleware served /@*, /__vite*, and /node_modules* paths before any validation ran.
Restrict CORS origin to localhost variants (127.0.0.1, [::1], *.localhost) so cross-origin pages cannot read dev server responses.
Add Sec-Fetch-Site: cross-site check as defense-in-depth for no-cors request types that may not send an Origin header.
Block _vinext/image endpoint redirects to internal Vite paths (/@*, /__vite*, /node_modules*).

Test coverage

Added regression tests for both App Router and Pages Router dev servers covering:

Same-origin requests allowed
No-origin requests allowed (direct navigation)
Cross-origin requests blocked (including to internal Vite paths and source files)
Malformed Origin headers blocked
Image endpoint internal path blocking (Pages Router)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/278 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 3/6/2026 **Status:** ✅ Merged **Merged:** 3/6/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/dev-server-request-validation` --- ### 📝 Commits (2) - [`1982b0e`](https://github.com/cloudflare/vinext/commit/1982b0ea5a89e54bf99588fb2a7fdc0ba07e6ab0) fix: validate request origin in dev server before Vite serves content - [`ee3eef5`](https://github.com/cloudflare/vinext/commit/ee3eef5f1213c4ef5e291d4234b283053c418c84) refactor: use shared validateDevRequest() in pre-Vite middleware ### 📊 Changes **3 files changed** (+204 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/index.ts` (+41 -4) 📝 `tests/app-router.test.ts` (+82 -0) 📝 `tests/pages-router.test.ts` (+81 -0) </details> ### 📄 Description ## Summary - Register the dev server origin check middleware directly in the `configureServer` body so it runs **before** Vite's built-in file-serving middleware. Previously, all request handling was registered in the returned function (post-middleware position), meaning Vite's internal middleware served `/@*`, `/__vite*`, and `/node_modules*` paths before any validation ran. - Restrict CORS `origin` to localhost variants (`127.0.0.1`, `[::1]`, `*.localhost`) so cross-origin pages cannot read dev server responses. - Add `Sec-Fetch-Site: cross-site` check as defense-in-depth for no-cors request types that may not send an `Origin` header. - Block `_vinext/image` endpoint redirects to internal Vite paths (`/@*`, `/__vite*`, `/node_modules*`). ## Test coverage Added regression tests for both App Router and Pages Router dev servers covering: - Same-origin requests allowed - No-origin requests allowed (direct navigation) - Cross-origin requests blocked (including to internal Vite paths and source files) - Malformed Origin headers blocked - Image endpoint internal path blocking (Pages Router) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>