fix!: default server.cors: false to disallow fetching from untrusted origins

sapphi-red · sapphi-red · commit dfea38f1ff9f · 2025-01-20T18:19:44.000+09:00
diff --git a/docs/config/server-options.md b/docs/config/server-options.md
@@ -137,8 +137,15 @@ export default defineConfig({
 ## server.cors
 
 - **Type:** `boolean | CorsOptions`
+- **Default:** `false`
+
+Configure CORS for the dev server. Pass an [options object](https://github.com/expressjs/cors#configuration-options) to fine tune the behavior or `true` to allow any origin.
+
+:::warning
 
-Configure CORS for the dev server. This is enabled by default and allows any origin. Pass an [options object](https://github.com/expressjs/cors#configuration-options) to fine tune the behavior or `false` to disable.
+We recommend setting a specific value rather than `true` to avoid exposing the source code to untrusted origins.
+
+:::
 
 ## server.headers
 
diff --git a/docs/guide/backend-integration.md b/docs/guide/backend-integration.md
@@ -13,6 +13,12 @@ If you need a custom integration, you can follow the steps in this guide to conf
    // ---cut---
    // vite.config.js
    export default defineConfig({
+     server: {
+       cors: {
+         // the origin you will be accessing via browser
+         origin: 'http://my-backend.example.com',
+       },
+     },
      build: {
        // generate .vite/manifest.json in outDir
        manifest: true,
diff --git a/packages/vite/src/node/__tests__/config.spec.ts b/packages/vite/src/node/__tests__/config.spec.ts
@@ -249,7 +249,7 @@ describe('preview config', () => {
       'Cache-Control': 'no-store',
     },
     proxy: { '/foo': 'http://localhost:4567' },
-    cors: false,
+    cors: true,
   })
 
   test('preview inherits server config with default port', async () => {
@@ -285,7 +285,7 @@ describe('preview config', () => {
     open: false,
     host: false,
     proxy: { '/bar': 'http://localhost:3010' },
-    cors: true,
+    cors: false,
   })
 
   test('preview overrides server config', async () => {
diff --git a/packages/vite/src/node/http.ts b/packages/vite/src/node/http.ts
@@ -59,8 +59,14 @@ export interface CommonServerOptions {
   /**
    * Configure CORS for the dev server.
    * Uses https://github.com/expressjs/cors.
+   *
+   * When enabling this option, **we recommend setting a specific value
+   * rather than `true`** to avoid exposing the source code to untrusted origins.
+   *
    * Set to `true` to allow all methods from any origin, or configure separately
    * using an object.
+   *
+   * @default false
    */
   cors?: CorsOptions | boolean
   /**
@@ -73,6 +79,12 @@ export interface CommonServerOptions {
  * https://github.com/expressjs/cors#configuration-options
  */
 export interface CorsOptions {
+  /**
+   * Configures the Access-Control-Allow-Origin CORS header.
+   *
+   * **We recommend setting a specific value rather than
+   * `true`** to avoid exposing the source code to untrusted origins.
+   */
   origin?:
     | CorsOrigin
     | ((
diff --git a/packages/vite/src/node/preview.ts b/packages/vite/src/node/preview.ts
@@ -184,7 +184,7 @@ export async function preview(
 
   // cors
   const { cors } = config.preview
-  if (cors !== false) {
+  if (cors !== undefined && cors !== false) {
     app.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors))
   }
 
diff --git a/packages/vite/src/node/server/index.ts b/packages/vite/src/node/server/index.ts
@@ -847,9 +847,9 @@ export async function _createServer(
     middlewares.use(timeMiddleware(root))
   }
 
-  // cors (enabled by default)
+  // cors
   const { cors } = serverConfig
-  if (cors !== false) {
+  if (cors !== undefined && cors !== false) {
     middlewares.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors))
   }
 
diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -1,14 +1,27 @@
 import fetch from 'node-fetch'
-import { beforeAll, describe, expect, test } from 'vitest'
+import {
+  afterEach,
+  beforeAll,
+  beforeEach,
+  describe,
+  expect,
+  test,
+} from 'vitest'
+import type { Page } from 'playwright-chromium'
 import testJSON from '../safe.json'
-import { isServe, page, viteTestUrl } from '~utils'
+import { browser, isServe, page, viteTestUrl } from '~utils'
+
+const getViteTestIndexHtmlUrl = () => {
+  const srcPrefix = viteTestUrl.endsWith('/') ? '' : '/'
+  // NOTE: viteTestUrl is set lazily
+  return viteTestUrl + srcPrefix + 'src/'
+}
 
 const stringified = JSON.stringify(testJSON)
 
 describe.runIf(isServe)('main', () => {
   beforeAll(async () => {
-    const srcPrefix = viteTestUrl.endsWith('/') ? '' : '/'
-    await page.goto(viteTestUrl + srcPrefix + 'src/')
+    await page.goto(getViteTestIndexHtmlUrl())
   })
 
   test('default import', async () => {
@@ -113,3 +126,59 @@ describe('fetch', () => {
     expect(res.headers.get('x-served-by')).toBe('vite')
   })
 })
+
+describe('cross origin', () => {
+  const fetchStatusFromPage = async (page: Page, url: string) => {
+    return await page.evaluate(async (url: string) => {
+      try {
+        const res = await globalThis.fetch(url)
+        return res.status
+      } catch {
+        return -1
+      }
+    }, url)
+  }
+
+  describe('allowed for same origin', () => {
+    beforeEach(async () => {
+      await page.goto(getViteTestIndexHtmlUrl())
+    })
+
+    test('fetch HTML file', async () => {
+      const status = await fetchStatusFromPage(page, viteTestUrl + '/src/')
+      expect(status).toBe(200)
+    })
+
+    test.runIf(isServe)('fetch JS file', async () => {
+      const status = await fetchStatusFromPage(
+        page,
+        viteTestUrl + '/src/code.js',
+      )
+      expect(status).toBe(200)
+    })
+  })
+
+  describe('denied for different origin', async () => {
+    let page2: Page
+    beforeEach(async () => {
+      page2 = await browser.newPage()
+      await page2.goto('http://vite.dev/404')
+    })
+    afterEach(async () => {
+      await page2.close()
+    })
+
+    test('fetch HTML file', async () => {
+      const status = await fetchStatusFromPage(page2, viteTestUrl + '/src/')
+      expect(status).not.toBe(200)
+    })
+
+    test.runIf(isServe)('fetch JS file', async () => {
+      const status = await fetchStatusFromPage(
+        page2,
+        viteTestUrl + '/src/code.js',
+      )
+      expect(status).not.toBe(200)
+    })
+  })
+})
diff --git a/playground/fs-serve/root/src/code.js b/playground/fs-serve/root/src/code.js
@@ -0,0 +1 @@
+// code.js
diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html
@@ -52,6 +52,7 @@ <h2>Denied</h2>
 <script type="module">
   import '../../entry'
   import json, { msg } from '../../safe.json'
+  import './code.js'
 
   function joinUrlSegments(a, b) {
     if (!a || !b) {

Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ export async function preview(`
`184`	`184`
`185`	`185`	`// cors`
`186`	`186`	`const { cors } = config.preview`
`187`		`- if (cors !== false) {`
	`187`	`+ if (cors !== undefined && cors !== false) {`
`188`	`188`	`app.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors))`
`189`	`189`	`}`
`190`	`190`
Original file line number	Diff line number	Diff line change
`@@ -847,9 +847,9 @@ export async function _createServer(`
`847`	`847`	`middlewares.use(timeMiddleware(root))`
`848`	`848`	`}`
`849`	`849`
`850`		`- // cors (enabled by default)`
	`850`	`+ // cors`
`851`	`851`	`const { cors } = serverConfig`
`852`		`- if (cors !== false) {`
	`852`	`+ if (cors !== undefined && cors !== false) {`
`853`	`853`	`middlewares.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors))`
`854`	`854`	`}`
`855`	`855`