cli-tunnel 1.3.1-beta.9 → 1.4.1

package/dist/index.js

@@ -467,22 +467,20 @@ const wss = new WebSocketServer({
         // F-18: Session expiry
         if (Date.now() - sessionCreatedAt > SESSION_TTL)
             return false;
-        // F-3: Validate origin BEFORE ticket acceptance
-        // F-06: Require Origin header — reject non-browser clients without Origin
+        // F-3: Validate origin when present (devtunnel proxies may strip it)
         const origin = info.req.headers.origin;
-        if (!origin) {
-            return false;
-        }
-        try {
-            const originUrl = new URL(origin);
-            const host = originUrl.hostname;
-            if (host !== 'localhost' && host !== '127.0.0.1' && !host.endsWith('.devtunnels.ms')) {
+        if (origin) {
+            try {
+                const originUrl = new URL(origin);
+                const host = originUrl.hostname;
+                if (host !== 'localhost' && host !== '127.0.0.1' && !host.endsWith('.devtunnels.ms')) {
+                    return false;
+                }
+            }
+            catch {
                 return false;
             }
         }
-        catch {
-            return false;
-        }
         const url = new URL(info.req.url, `http://${info.req.headers.host}`);
         // F-02: Accept one-time ticket (only auth method for WS)
         const ticket = url.searchParams.get('ticket');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cli-tunnel",
-  "version": "1.3.1-beta.9",
+  "version": "1.4.1",
   "description": "Tunnel any CLI app to your phone — PTY + devtunnel + xterm.js",
   "type": "module",
   "main": "dist/index.js",
@@ -36,8 +36,6 @@
     "node": ">=22.0.0"
   },
   "dependencies": {
-    "@xterm/addon-serialize": "^0.14.0",
-    "@xterm/headless": "^6.0.0",
     "node-pty": "1.1.0",
     "qrcode-terminal": "0.12.0",
     "ws": "8.19.0"