cli-tunnel 1.4.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +10 -12
  2. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -467,22 +467,20 @@ const wss = new WebSocketServer({
467
467
  // F-18: Session expiry
468
468
  if (Date.now() - sessionCreatedAt > SESSION_TTL)
469
469
  return false;
470
- // F-3: Validate origin BEFORE ticket acceptance
471
- // F-06: Require Origin header — reject non-browser clients without Origin
470
+ // F-3: Validate origin when present (devtunnel proxies may strip it)
472
471
  const origin = info.req.headers.origin;
473
- if (!origin) {
474
- return false;
475
- }
476
- try {
477
- const originUrl = new URL(origin);
478
- const host = originUrl.hostname;
479
- if (host !== 'localhost' && host !== '127.0.0.1' && !host.endsWith('.devtunnels.ms')) {
472
+ if (origin) {
473
+ try {
474
+ const originUrl = new URL(origin);
475
+ const host = originUrl.hostname;
476
+ if (host !== 'localhost' && host !== '127.0.0.1' && !host.endsWith('.devtunnels.ms')) {
477
+ return false;
478
+ }
479
+ }
480
+ catch {
480
481
  return false;
481
482
  }
482
483
  }
483
- catch {
484
- return false;
485
- }
486
484
  const url = new URL(info.req.url, `http://${info.req.headers.host}`);
487
485
  // F-02: Accept one-time ticket (only auth method for WS)
488
486
  const ticket = url.searchParams.get('ticket');
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cli-tunnel",
3
- "version": "1.4.0",
3
+ "version": "1.4.1",
4
4
  "description": "Tunnel any CLI app to your phone — PTY + devtunnel + xterm.js",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",