Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Invalid Host/Origin Header" warning #1604

Closed
1 task done
ravshansbox opened this issue Dec 21, 2018 · 59 comments · Fixed by #1606
Closed
1 task done

"Invalid Host/Origin Header" warning #1604

ravshansbox opened this issue Dec 21, 2018 · 59 comments · Fixed by #1606

Comments

@ravshansbox
Copy link

ravshansbox commented Dec 21, 2018

PLEASE READ

We are working on this problem. It is regression problem after fixing security error. Security issues are always high priority and we would not want to revert it, but it is require some changes in sockjs/sockjs-node#247, we have workaround for this problem #1608, but need some feedback. Feel free to feedback.

Fast workaround (put it in your devServer property in config):

disableHostCheck: true




We apologize for the situation. Thanks for helping us do webpack better. ⭐ ⭐ ⭐


  • Operating System: macos 10.14.2
  • Node Version: 11.5.0
  • NPM Version: 6.4.1
  • webpack Version: 4.28.1
  • webpack-dev-server Version: 3.1.11
  • This is a bug

Code

  // webpack.config.js
const path = require('path');
const HtmlWebpackPlugin = require('html-webpack-plugin');
const MiniCssExtractPlugin = require('mini-css-extract-plugin');

module.exports = {
  entry: [
    './src/main.css',
    './src/main.js'
  ],
  output: {
    path: path.resolve(__dirname, 'dist'),
    filename: 'index.js'
  },
  plugins: [
    new HtmlWebpackPlugin({
      template: './src/main.html'
    }),
    new MiniCssExtractPlugin({
      filename: 'index.css'
    })
  ],
  module: {
    rules: [
      {
        test: /\.css$/,
        use: [
          MiniCssExtractPlugin.loader,
          'css-loader'
        ]
      },
      {
        test: /\.js$/,
        exclude: /node_modules/,
        use: 'babel-loader'
      }
    ]
  },
  stats: {
    children: false,
    modules: false
  },
  devServer: {
    proxy: {
      '/api': 'http://localhost:3000'
    },
    stats: {
      children: false,
      modules: false
    }
  }
};

Expected Behavior

No warnings

Actual Behavior

Getting "Invalid Host/Origin Header" warning in browser console

For Bugs; How can we reproduce the behavior?

install webpack-dev-server@3.1.11 and run (v3.1.10 working as expected).

image

@alexander-akait
Copy link
Member

@ravshansbox it is security fix, looks you origin than you use in config, you can use disableHostCheck: true in you case, anyway can you create minimum reproducible test repo?

@ravshansbox
Copy link
Author

@ravshansbox
Copy link
Author

with disableHostCheck: true there is no warning.

@alexander-akait
Copy link
Member

@ravshansbox thanks, i will look in near future, but if original is not same it is normal have this error

@pkk82
Copy link

pkk82 commented Dec 21, 2018

I have the same issue. Problem here is that browser does not send origin header at all. Here my debug of connection object

SockJSConnection { _session: Session { session_id: undefined, heartbeat_delay: 25000, disconnect_delay: 5000, prefix: '/sockjs-node', send_buffer: [], is_closing: false, readyState: 1, timeout_cb: [Function], to_tref: Timeout { _called: false, _idleTimeout: 25000, _idlePrev: [Object], _idleNext: [Object], _idleStart: 1740, _onTimeout: [Function], _timerArgs: undefined, _repeat: null, _destroyed: false, [Symbol(asyncId)]: 6686, [Symbol(triggerAsyncId)]: 6679 }, connection: [Circular], emit_open: null, recv: WebSocketReceiver { ws: [Object], connection: [Object], heartbeat_cb: [Function], thingy: [Object], thingy_end_cb: [Function], session: [Circular] } }, id: 'da07ccdf-4d74-4fed-a48b-6d76247e97af', headers: { host: 'localhost:8080', 'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'accept-language': 'pl,en;q=0.9,en-US;q=0.8,fr;q=0.7' }, prefix: '/sockjs-node', remoteAddress: '127.0.0.1', remotePort: 37412, address: { address: '127.0.0.1', family: 'IPv4', port: 8080 }, url: '/sockjs-node/599/ngnhxajl/websocket', pathname: '/sockjs-node/599/ngnhxajl/websocket', protocol: 'websocket' }
`

@bwigs
Copy link

bwigs commented Dec 21, 2018

I am seeing this issue as well with 3.1.11. Rolling back to 3.1.10 fixes it.

jgerigmeyer added a commit to SFDO-Tooling/MetaDeploy that referenced this issue Dec 21, 2018
@rpang77
Copy link

rpang77 commented Dec 21, 2018

Also, got this issue after upgrading to 3.1.11

@lambcode
Copy link

I also am getting this error in Firefox 64.0 with version 3.1.11. Reverting to 3.1.10 fixes it.

@Akiyamka
Copy link

Akiyamka commented Dec 22, 2018

I confirm, the same problem.
Manjaro linux (4.19.8-2-MANJARO)
Firefox DE 65.0b2
Node LTS (10.14.2)

@juank11memphis
Copy link

Same problem here

@alexander-akait
Copy link
Member

Please read #1604 (comment)

@alexander-akait
Copy link
Member

@ravshansbox
Copy link
Author

ravshansbox commented Dec 22, 2018

I can confirm that the issue still exists.

@davidpelayo
Copy link

I can also confirm that the issue still exists

@alexander-akait
Copy link
Member

Please don't spam Same problem here or issue still exists, better create minimum reproducible test repo, it is allow to fix all edge cases, thanks!

@3846masa
Copy link
Member

I checked request sent to dev-server via Chrome in localhost, request doesn't have Origin header.

{ host: 'localhost:8080',
  'user-agent':
   'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36',
  'accept-language': 'ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7' }

checkHeader will return false when value is empty, so this issue still exists, I think.

if (!hostHeader) {
return false;
}

@3846masa
Copy link
Member

3846masa commented Dec 22, 2018

Sockjs will remove Origin header.
Ref. sockjs/sockjs-node#247

@3846masa
Copy link
Member

In my opinion, it is better to revert #1603 until sockjs/sockjs-node#247 is merged.

@alexander-akait
Copy link
Member

@3846masa let's wait some time and revert it, maybe we can implement workaround on our side, need investigate, feel free to do it, thanks

damien-shaw-guardian added a commit to guardian/support-frontend that referenced this issue May 15, 2019
refactor: changed name of variant
- Also added `disableHostCheck: true` to disable error "Invalid Host/Origin Header" warning
- issue webpack/webpack-dev-server#1604
Jrc356 added a commit to Jrc356/Folder-Analyzer that referenced this issue Jul 10, 2019
@neverblued
Copy link

Even with disableHostCheck now after updating I can not get rid of these errors.

dshoreman added a commit to dshoreman/servidor that referenced this issue Aug 7, 2019
I'd just given up on getting Mix to work with HMR (specifically with
CORS since we're using servidor.local which points to Vagrant, and HMR
hosts the assets on localhost). Turns out instead of trying to set the
allowed origins header we need to disable the host check.*

We no longer have a need for browser-sync now either, hence its removal.

Also cleans up the npm commands. Don't need two of everything and we
don't need the full path to webpack[,-dev-server] either.

* See webpack/webpack-dev-server#1604 for details
christophercr added a commit to christophercr/ngx-form-errors that referenced this issue Nov 22, 2019
…prevent 'Invalid Host/Origin header' error in IE

Workaround mentioned in webpack/webpack-dev-server#1604 (comment)
@gander
Copy link

gander commented Nov 29, 2019

Are there any chances to solve this problem soon?

SaffatHasan added a commit to zexi26/evote-system that referenced this issue Dec 4, 2019
Currently active problem with vue.js
See webpack/webpack-dev-server#1604
SuperITMan pushed a commit to SuperITMan/ngx-form-errors that referenced this issue Feb 27, 2020
…prevent 'Invalid Host/Origin header' error in IE

Workaround mentioned in webpack/webpack-dev-server#1604 (comment)
SuperITMan pushed a commit to SuperITMan/ngx-form-errors that referenced this issue Feb 27, 2020
…prevent 'Invalid Host/Origin header' error in IE

Workaround mentioned in webpack/webpack-dev-server#1604 (comment)
SuperITMan pushed a commit to SuperITMan/ngx-form-errors that referenced this issue Feb 27, 2020
…prevent 'Invalid Host/Origin header' error in IE

Workaround mentioned in webpack/webpack-dev-server#1604 (comment)
SuperITMan pushed a commit to SuperITMan/ngx-form-errors that referenced this issue Feb 28, 2020
…prevent 'Invalid Host/Origin header' error in IE

Workaround mentioned in webpack/webpack-dev-server#1604 (comment)
dtinth added a commit to bemusic/bemuse that referenced this issue May 3, 2020
darrenmcc-microfocus pushed a commit to UXAspects/UXAspects that referenced this issue Jun 1, 2020
* Suppress "Invalid Host/Origin Header" error in plunker when using HTTPS

See webpack/webpack-dev-server#1604.

* Fix chance error in Select List documentation

* Fix ExpressionChanged error for aria-controls
@simeyla
Copy link

simeyla commented Jul 13, 2020

If you're using @angular-builders/custom-webpack try this:

// custom-webpack.config.js
module.exports = {

  devServer: {
    disableHostCheck: true
  },

   plugins: []
};

@variable
Copy link

I am running 3.11.0 webpack-dev-server and still having this problem after specifying disableHostCheck: true

@Logopher
Copy link

I see this message consistently when I run my project via Fiddler at localhost.fiddler:4200 and not when I use localhost:4200.

@testacode
Copy link

This is happening now on webpack 5 and disableHostCheck is not part of the api anymore. Any thoughts?

@kevinmu17
Copy link

Using webpack-dev-server 4.0.0 disableHostCheck: true is not available anymore.

headers: {
        'Access-Control-Allow-Origin': '*'
},

This is also not working

@snitin315
Copy link
Member

snitin315 commented Aug 19, 2021

@kevinmu17 the disableHostCheck: true option was removed in favor of allowedHosts: "all", for more information please refer to our migration guide - https://github.com/webpack/webpack-dev-server/blob/master/migration-v4.md

@kevinmu17
Copy link

@kevinmu17 the disableHostCheck: true option was removed in favor of allowedHosts: "all", for more information please refer to our migration guide - https://github.com/webpack/webpack-dev-server/blob/master/migration-v4.md

This link should be available on https://webpack.js.org/configuration/dev-server/ This was a live saver, I was banging my head, the information is very well explained and it took me a few hours to migrate. Thank you very much for pointing this out!

wac925 added a commit to wac925/laravel-bundler that referenced this issue Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.