nativescript 9.0.6-rc.1 → 9.0.6-rc.2

package/lib/services/devtools-host-service.js

@@ -7,9 +7,17 @@ const fs = require("fs");
 const constants_1 = require("../constants");
 const yok_1 = require("../common/yok");
 const LOOPBACK_HOST = "127.0.0.1";
-const DEVTOOLS_ORIGIN = "https://chrome-devtools-frontend.appspot.com";
 const PORT_RANGE_START = 41500;
 const PORT_RANGE_END = 41999;
+// Allowed Chrome DevTools origins. Bundled DevTools (devtools://devtools)
+// is the default flow opened by chrome://inspect; the appspot frontend is
+// used when the CLI prints a hosted URL. Any other origin (including
+// custom NS DevTools forks) gets a permissive ACAO since loopback bind
+// is the real security boundary anyway.
+const KNOWN_DEVTOOLS_ORIGINS = new Set([
+    "devtools://devtools",
+    "https://chrome-devtools-frontend.appspot.com",
+]);
 const CONTENT_TYPES = {
     ".map": "application/json; charset=utf-8",
     ".json": "application/json; charset=utf-8",
@@ -98,7 +106,11 @@ class DevtoolsHostService {
         return `http://${LOOPBACK_HOST}:${port}`;
     }
     handleRequest(req, res, rootDir) {
-        res.setHeader("Access-Control-Allow-Origin", DEVTOOLS_ORIGIN);
+        const requestOrigin = req.headers.origin;
+        const allowOrigin = requestOrigin && KNOWN_DEVTOOLS_ORIGINS.has(requestOrigin)
+            ? requestOrigin
+            : "*";
+        res.setHeader("Access-Control-Allow-Origin", allowOrigin);
         res.setHeader("Vary", "Origin");
         res.setHeader("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS");
         res.setHeader("Access-Control-Allow-Headers", "*");

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "nativescript",
   "main": "./lib/nativescript-cli-lib.js",
-  "version": "9.0.6-rc.1",
+  "version": "9.0.6-rc.2",
   "author": "NativeScript <oss@nativescript.org>",
   "description": "Command-line interface for building NativeScript projects",
   "bin": {