Skip to content

Commit 14c3d49

Browse files
fix(proxy): replace changeOrigin changes in 5.3.0 with new rewriteWsOrigin option (#17563)
Co-authored-by: John Hunter <john.hunter@arenko.group>
1 parent 055f1c1 commit 14c3d49

File tree

2 files changed

+24
-11
lines changed

2 files changed

+24
-11
lines changed

docs/config/server-options.md

+3-1
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ Configure custom proxy rules for the dev server. Expects an object of `{ key: op
9090

9191
Note that if you are using non-relative [`base`](/config/shared-options.md#base), you must prefix each key with that `base`.
9292

93-
Extends [`http-proxy`](https://github.com/http-party/node-http-proxy#options). Additional options are [here](https://github.com/vitejs/vite/blob/main/packages/vite/src/node/server/middlewares/proxy.ts#L13). Note that [unlike http-proxy](https://github.com/http-party/node-http-proxy/issues/1669), the `changeOrigin` option will change both host and origin headers to match the target.
93+
Extends [`http-proxy`](https://github.com/http-party/node-http-proxy#options). Additional options are [here](https://github.com/vitejs/vite/blob/main/packages/vite/src/node/server/middlewares/proxy.ts#L13).
9494

9595
In some cases, you might also want to configure the underlying dev server (e.g. to add custom middlewares to the internal [connect](https://github.com/senchalabs/connect) app). In order to do that, you need to write your own [plugin](/guide/using-plugins.html) and use [configureServer](/guide/api-plugin.html#configureserver) function.
9696

@@ -123,9 +123,11 @@ export default defineConfig({
123123
},
124124
},
125125
// Proxying websockets or socket.io: ws://localhost:5173/socket.io -> ws://localhost:5174/socket.io
126+
// Exercise caution using `rewriteWsOrigin` as it can leave the proxying open to CSRF attacks.
126127
'/socket.io': {
127128
target: 'ws://localhost:5174',
128129
ws: true,
130+
rewriteWsOrigin: true,
129131
},
130132
},
131133
},

packages/vite/src/node/server/middlewares/proxy.ts

+21-10
Original file line numberDiff line numberDiff line change
@@ -27,20 +27,35 @@ export interface ProxyOptions extends HttpProxy.ServerOptions {
2727
res: http.ServerResponse,
2828
options: ProxyOptions,
2929
) => void | null | undefined | false | string
30+
/**
31+
* rewrite the Origin header of a WebSocket request to match the the target
32+
*
33+
* **Exercise caution as rewriting the Origin can leave the proxying open to [CSRF attacks](https://owasp.org/www-community/attacks/csrf).**
34+
*/
35+
rewriteWsOrigin?: boolean | undefined
3036
}
3137

32-
const setOriginHeader = (
38+
const rewriteOriginHeader = (
3339
proxyReq: http.ClientRequest,
34-
options: HttpProxy.ServerOptions,
40+
options: ProxyOptions,
41+
config: ResolvedConfig,
3542
) => {
3643
// Browsers may send Origin headers even with same-origin
3744
// requests. It is common for WebSocket servers to check the Origin
38-
// header, so if changeOrigin is true we change the Origin to match
45+
// header, so if rewriteWsOrigin is true we change the Origin to match
3946
// the target URL.
40-
// https://github.com/http-party/node-http-proxy/issues/1669
41-
if (options.changeOrigin) {
47+
if (options.rewriteWsOrigin) {
4248
const { target } = options
4349

50+
if (proxyReq.headersSent) {
51+
config.logger.warn(
52+
colors.yellow(
53+
`Unable to rewrite Origin header as headers are already sent.`,
54+
),
55+
)
56+
return
57+
}
58+
4459
if (proxyReq.getHeader('origin') && target) {
4560
const changedOrigin =
4661
typeof target === 'object'
@@ -112,12 +127,8 @@ export function proxyMiddleware(
112127
}
113128
})
114129

115-
proxy.on('proxyReq', (proxyReq, req, res, options) => {
116-
setOriginHeader(proxyReq, options)
117-
})
118-
119130
proxy.on('proxyReqWs', (proxyReq, req, socket, options, head) => {
120-
setOriginHeader(proxyReq, options)
131+
rewriteOriginHeader(proxyReq, options, config)
121132

122133
socket.on('error', (err) => {
123134
config.logger.error(

0 commit comments

Comments
 (0)