From 1c561161e2eb9a06a12f7b09a615ebb98aaadf31 Mon Sep 17 00:00:00 2001
From: 3846masa <3846masahiro+git@gmail.com>
Date: Sat, 22 Dec 2018 23:28:48 +0900
Subject: [PATCH 1/2] Fix checkHost

fixed #1604
---
 lib/Server.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/Server.js b/lib/Server.js
index e1b2034acd..90494c99b1 100644
--- a/lib/Server.js
+++ b/lib/Server.js
@@ -646,7 +646,12 @@ Server.prototype.checkHost = function (headers, headerToCheck) {
   }
 
   // use the node url-parser to retrieve the hostname from the host-header.
-  const hostname = url.parse(`//${hostHeader}`, false, true).hostname;
+  const hostname = url.parse(
+    // if hostHeader doesn't have scheme, add // for parsing.
+    /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`,
+    false,
+    true,
+  ).hostname;
   // always allow requests with explicit IPv4 or IPv6-address.
   // A note on IPv6 addresses:
   // hostHeader will always contain the brackets denoting

From e614308fed6eafc2fccce37837fd16c406f54116 Mon Sep 17 00:00:00 2001
From: 3846masa <3846masahiro+git@gmail.com>
Date: Sat, 22 Dec 2018 23:40:00 +0900
Subject: [PATCH 2/2] Add test

checkHost should allow urls with scheme
---
 test/Validation.test.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/test/Validation.test.js b/test/Validation.test.js
index 12c54d7e83..8dc0f98cb6 100644
--- a/test/Validation.test.js
+++ b/test/Validation.test.js
@@ -171,6 +171,19 @@ describe('Validation', () => {
       }
     });
 
+    it('should allow urls with scheme for checking origin', () => {
+      const options = {
+        public: 'test.host:80'
+      };
+      const headers = {
+        origin: 'https://test.host'
+      };
+      const server = new Server(compiler, options);
+      if (!server.checkHost(headers, 'origin')) {
+        throw new Error("Validation didn't fail");
+      }
+    });
+
     describe('allowedHosts', () => {
       it('should allow hosts in allowedHosts', () => {
         const tests = [