fixes Origin validation for IP address. gives meaning to public and allowedHosts

[carlosgeos]

• This is a bugfix
• This is a feature
• This is a code refactor
• This is a test update
• This is a docs update
• This is a metadata update

For Bugs and Features; did you add new tests?

Yes, I have adapted and improved the tests.

Motivation / Use-Case

#1618

Breaking Changes

None.

BUT it is breaking if people are using webpack-dev-server in a way it is not intended to be used. For example, without specifying public or allowedHosts to serve publicly.

Additional Info

This fixes #1618 which are two things basically:

1. More security regarding the websocket server (it was accepting all connections with an IP address as Origin). https://www.npmjs.com/advisories/725
2. Not letting everyone in the network connect to the development server unless specified if public, allowedHosts, etc

[carlosgeos]

I also like #1619. If that one gets merged, I'll update this PR (to have no conflicts)

[alexander-akait]

Why we remove this check, it can be breaking change for some developers?

[carlosgeos]

This check basically means no security (for both static server and sockjs server) (#1618). It is not breaking if people are following the docs 👍

[alexander-akait]

@carlosgeos developers are not following the docs 😄 Better avoid this removing, we can do this in next major release

[carlosgeos]

hahahah ok, then I'll close this PR

[alexander-akait]

We need better check here, because some developers can use 192.168.0.1 or other local IPs

[carlosgeos]

If they use a local IP, developers should specify public: '192.168.0.x'. It will be covered by the public option further down in the code:

webpack-dev-server/lib/Server.js

Lines 714 to 716 in dd92f31

	if (hostname === publicHostname) {
	return true;
	}

allowedHosts can also be used.

[alexander-akait]

Also need rebase