[bug] Can't use disableHostCheck option - v2.4.3

[nwoltman]

When trying to use the disableHostCheck option with v2.4.3, I get:

Warning: Invalid configuration object. webpack-dev-server has been initialised using a configuration object that does not match the API schema.
 - configuration has an unknown property 'disableHostCheck'. These properties are valid:
   object { hot?, hotOnly?, lazy?, host?, filename?, publicPath?, port?, socket?, watchOptions?, headers?, clientLogLevel?, overlay?, key?, cert?, ca?, pfx?, pfxPassphrase?, inline?, public?, https?, contentBase?, watchContentBase?, open?, features?, compress?, proxy?, historyApiFallback?, staticOptions?, setup?, stats?, reporter?, noInfo?, quiet?, serverSideRender?, index?, log?, warn? } Use --force to continue.

I'm guessing disableHostCheck just needs to be added to optionsSchema.json.

[sokra]

Could you explain why you want to disable this security feature?

[sokra]

released in v2.4.4

[karolyi]

@sokra, can it be that this is connected with #533 (comment)?

[nwoltman]

@sokra Sometimes I need to test out features directly on my phone, and to do that I need to use the IP address of my computer that's running webpack-dev-server as the host to be able to connect to it.

I'm not totally sure that this security feature is necessary for me because when I use webpack-dev-server I'm either on a network with people I trust (home or work), or if I'm on a public network I keep my ports closed.

[edmorley]

This security feature protects against a DNS rebinding attack I reported privately to the webpack team, which may still affect you depending on your exact setup.

[nwoltman]

Oh I see. In that case I'll leave the host check enabled and only disable it when I absolutely need to (which is rarely anyway).
@edmorley At some point in the future, would you be able to share this attack with the community?

[bdwain]

@edmorley @sokra is there a recommended solution for hitting a local dev server from a tablet without having to enable this flag then? That's a pretty common workflow for me at work and it sounds like @nwoltman is in the same boat.

[edmorley]

@edmorley At some point in the future, would you be able to share this attack with the community?

I've filed a retrospective GitHub issue with the original private disclosure email wording, which should hopefully make things a bit clearer: #887 - happy to answer any additional questions.

I've also made a suggestion about improving the UX for the "use a dynamic IP to access from a mobile device" case in #882 (comment)

[grgur]

@bdwain have you tried setting host: 0.0.0.0?

[tanzeelrana]

I am still unable to use disableHostCheck flag -_-

ng serve --host 0.0.0.0 --disableHostCheck=true

help please

[chai-jay]

@tanzeelrana That sounds like a feature request to open with Angular CLI project. Their CLI has to support disableHostCheck option and pass it to Webpack.