Merge branch 'webpack:master' into feat/overlay-ui

Author: negimox

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [5.2.2](https://github.com/webpack/webpack-dev-server/compare/v5.2.1...v5.2.2) (2025-06-03)
+
+
+### Bug Fixes
+
+* "Overlay enabled" false positive ([18e72ee](https://github.com/webpack/webpack-dev-server/commit/18e72ee3e57a6e7598a6c068c0ff7c7bb6a857f1))
+* do not crush when error is null for runtime errors ([#5447](https://github.com/webpack/webpack-dev-server/issues/5447)) ([309991f](https://github.com/webpack/webpack-dev-server/commit/309991f947baa0354140b9930a9654ac792e20c4))
+* remove unnecessary header `X_TEST` ([#5451](https://github.com/webpack/webpack-dev-server/issues/5451)) ([64a6124](https://github.com/webpack/webpack-dev-server/commit/64a6124bf1b4d158bb42a4341dd03121ae3759fa))
+* respect the `allowedHosts` option for cross-origin header check ([#5510](https://github.com/webpack/webpack-dev-server/issues/5510)) ([03d1214](https://github.com/webpack/webpack-dev-server/commit/03d12141bf7be09dfb14e91e5c834ee63bd9a9a2))
+
 ## [5.2.1](https://github.com/webpack/webpack-dev-server/compare/v5.2.0...v6.0.0) (2025-03-26)
 
 ### Security

lib/Server.js

@@ -1986,6 +1986,13 @@ class Server {
         const headers =
           /** @type {{ [key: string]: string | undefined }} */
           (req.headers);
+        const headerName = headers[":authority"] ? ":authority" : "host";
+
+        if (this.isValidHost(headers, headerName, false)) {
+          next();
+          return;
+        }
+
         if (
           headers["sec-fetch-mode"] === "no-cors" &&
           headers["sec-fetch-site"] === "cross-site"
@@ -3166,9 +3173,10 @@ class Server {
    * @private
    * @param {{ [key: string]: string | undefined }} headers
    * @param {string} headerToCheck
+   * @param {boolean} validateHost
    * @returns {boolean}
    */
-  isValidHost(headers, headerToCheck) {
+  isValidHost(headers, headerToCheck, validateHost = true) {
     if (this.options.allowedHosts === "all") {
       return true;
     }
@@ -3210,12 +3218,13 @@ class Server {
     // For convenience, always allow localhost (hostname === 'localhost')
     // and its subdomains (hostname.endsWith(".localhost")).
     // allow hostname of listening address  (hostname === this.options.host)
-    const isValidHostname =
-      ipaddr.IPv4.isValid(hostname) ||
-      ipaddr.IPv6.isValid(hostname) ||
-      hostname === "localhost" ||
-      hostname.endsWith(".localhost") ||
-      hostname === this.options.host;
+    const isValidHostname = validateHost
+      ? ipaddr.IPv4.isValid(hostname) ||
+        ipaddr.IPv6.isValid(hostname) ||
+        hostname === "localhost" ||
+        hostname.endsWith(".localhost") ||
+        hostname === this.options.host
+      : false;
 
     return isValidHostname;
   }