Merge commit from fork

* test: add regression tests for CORP header on cross-origin responses

Ref: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w

* fix: set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

Ref: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w

* fix: update CORS handling to differentiate between wildcard and specific-origin headers

---------

Co-authored-by: Sebastian Beltran <bjohansebas@gmail.com>

Author: UlisesGascon

lib/Server.js

@@ -2019,6 +2019,14 @@ class Server {
           return;
         }
 
+        // Block cross-origin resource loading when Sec-Fetch-* headers are absent (HTTP origins)
+        if (
+          this.options.allowedHosts !== "all" &&
+          !this.isUserCORSWildcardEnabled()
+        ) {
+          res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
+        }
+
         next();
       },
     });
@@ -3184,6 +3192,53 @@ class Server {
     return false;
   }
 
+  /**
+   * @private
+   * @returns {boolean} true when the user has configured a wildcard
+   * Access-Control-Allow-Origin header (opting into fully open cross-origin access)
+   */
+  isUserCORSWildcardEnabled() {
+    const { headers } = this.options;
+
+    if (!headers) {
+      return false;
+    }
+
+    if (typeof headers === "function") {
+      return false;
+    }
+
+    /**
+     * @param {string | string[]} value header value
+     * @returns {boolean} true when value is the "*" wildcard
+     */
+    const isWildcard = (value) => {
+      if (typeof value === "string") {
+        return value.trim() === "*";
+      }
+
+      if (Array.isArray(value)) {
+        return value.length === 1 && isWildcard(value[0]);
+      }
+
+      return false;
+    };
+
+    if (Array.isArray(headers)) {
+      return headers.some(
+        (header) =>
+          header.key.toLowerCase() === "access-control-allow-origin" &&
+          isWildcard(header.value),
+      );
+    }
+
+    return Object.entries(headers).some(
+      ([key, value]) =>
+        key.toLowerCase() === "access-control-allow-origin" &&
+        isWildcard(value),
+    );
+  }
+
   /**
    * @private
    * @param {{ [key: string]: string | undefined }} headers headers

test/e2e/cross-origin-request.test.js

@@ -218,3 +218,157 @@ describe("cross-origin requests", () => {
     }
   });
 });
+
+// @see https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w
+describe("cross-origin resource policy header", () => {
+  const devServerPort = port1;
+
+  let server;
+
+  afterEach(async () => {
+    if (server) {
+      await server.stop();
+      // Allow the port to be fully released before the next test
+      await new Promise((resolve) => {
+        setTimeout(resolve, 100);
+      });
+      server = null;
+    }
+  });
+
+  function request(url, headers = {}) {
+    const http = require("node:http");
+
+    return new Promise((resolve, reject) => {
+      const req = http.get(url, { headers }, (res) => {
+        let body = "";
+        res.on("data", (chunk) => {
+          body += chunk;
+        });
+        res.on("end", () => {
+          resolve({ status: res.statusCode, headers: res.headers, body });
+        });
+      });
+      req.on("error", reject);
+    });
+  }
+
+  it("should set Cross-Origin-Resource-Policy: same-origin by default", async () => {
+    const compiler = webpack(config);
+    server = new Server(
+      { port: devServerPort, allowedHosts: "auto" },
+      compiler,
+    );
+
+    await server.start();
+
+    const res = await request(`http://localhost:${devServerPort}/main.js`);
+
+    expect(res.headers["cross-origin-resource-policy"]).toBe("same-origin");
+  });
+
+  it("should NOT set CORP header when allowedHosts is 'all'", async () => {
+    const compiler = webpack(config);
+    server = new Server({ port: devServerPort, allowedHosts: "all" }, compiler);
+
+    await server.start();
+
+    const res = await request(`http://localhost:${devServerPort}/main.js`);
+
+    expect(res.headers["cross-origin-resource-policy"]).toBeUndefined();
+  });
+
+  it("should NOT set CORP header when user configures wildcard CORS", async () => {
+    const compiler = webpack(config);
+    server = new Server(
+      {
+        port: devServerPort,
+        allowedHosts: "auto",
+        headers: { "Access-Control-Allow-Origin": "*" },
+      },
+      compiler,
+    );
+
+    await server.start();
+
+    const res = await request(`http://localhost:${devServerPort}/main.js`);
+
+    expect(res.headers["cross-origin-resource-policy"]).toBeUndefined();
+  });
+
+  it("should set CORP header when user configures a specific-origin Access-Control-Allow-Origin (no-cors embedding is not governed by CORS)", async () => {
+    const compiler = webpack(config);
+    server = new Server(
+      {
+        port: devServerPort,
+        allowedHosts: "auto",
+        headers: {
+          "Access-Control-Allow-Origin": "http://foo.example.com",
+        },
+      },
+      compiler,
+    );
+
+    await server.start();
+
+    const res = await request(`http://localhost:${devServerPort}/main.js`);
+
+    expect(res.headers["cross-origin-resource-policy"]).toBe("same-origin");
+  });
+
+  it("should set CORP header when user configures Access-Control-Allow-Origin via headers array with a specific origin", async () => {
+    const compiler = webpack(config);
+    server = new Server(
+      {
+        port: devServerPort,
+        allowedHosts: "auto",
+        headers: [
+          {
+            key: "Access-Control-Allow-Origin",
+            value: "http://foo.example.com",
+          },
+        ],
+      },
+      compiler,
+    );
+
+    await server.start();
+
+    const res = await request(`http://localhost:${devServerPort}/main.js`);
+
+    expect(res.headers["cross-origin-resource-policy"]).toBe("same-origin");
+  });
+
+  it("should NOT set CORP header when user configures wildcard Access-Control-Allow-Origin via headers array", async () => {
+    const compiler = webpack(config);
+    server = new Server(
+      {
+        port: devServerPort,
+        allowedHosts: "auto",
+        headers: [{ key: "Access-Control-Allow-Origin", value: "*" }],
+      },
+      compiler,
+    );
+
+    await server.start();
+
+    const res = await request(`http://localhost:${devServerPort}/main.js`);
+
+    expect(res.headers["cross-origin-resource-policy"]).toBeUndefined();
+  });
+
+  it("should NOT set CORP header when host is in allowedHosts", async () => {
+    const compiler = webpack(config);
+    server = new Server(
+      { port: devServerPort, allowedHosts: ["localhost"] },
+      compiler,
+    );
+
+    await server.start();
+
+    const res = await request(`http://localhost:${devServerPort}/main.js`);
+
+    expect(res.status).toBe(200);
+    expect(res.headers["cross-origin-resource-policy"]).toBeUndefined();
+  });
+});

types/lib/Server.d.ts

@@ -1356,6 +1356,12 @@ declare class Server<
    * @returns {boolean} true when host allowed, otherwise false
    */
   private isHostAllowed;
+  /**
+   * @private
+   * @returns {boolean} true when the user has configured a wildcard
+   * Access-Control-Allow-Origin header (opting into fully open cross-origin access)
+   */
+  private isUserCORSWildcardEnabled;
   /**
    * @private
    * @param {{ [key: string]: string | undefined }} headers headers