Skip to content

Commit

Permalink
Fix metro crash when Flipper connects (#1523)
Browse files Browse the repository at this point in the history
* Fix metro crash when Flipper connects

Fixes per work around: facebook/flipper#3189 (comment). The same fix has been applied to FB infra, and the next release will temporarily set an `origin` header as work around for existing RN versions. 

Fixes:
* facebook/flipper#2870
* facebook/flipper#3189

The essence of the fix is that we shouldn't check the `origin` header if it is not present. That might sound unsafe, but it actually is just a check to protect from malicious websites, and browsers ensure the origin header is set for cross site requests. For websocket connections created outside a browser context, the creator has full control over the origin header anyway, so checking it would not add any safety.

* Fix lint error
  • Loading branch information
mweststrate authored Dec 22, 2021
1 parent c4b42c4 commit ccd09df
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion packages/cli-server-api/src/websocket/eventsSocketServer.ts
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,13 @@ function attachToServer(
verifyClient({origin}: {origin: string}) {
// This exposes the full JS logs and enables issuing commands like reload
// so let's make sure only locally running stuff can connect to it
// origin is only checked if it is set, e.g. when the request is made from a (CORS) browser
// any 'back-end' connection isn't CORS at all, and has full control over the origin header,
// so there is no point in checking it security wise
return (
origin.startsWith('http://localhost:') || origin.startsWith('file:')
!origin ||
origin.startsWith('http://localhost:') ||
origin.startsWith('file:')
);
},
});
Expand Down

0 comments on commit ccd09df

Please sign in to comment.