nerik
commented
7 years ago I'm not familiar with this and the why of this, could you elaborate please? The webpack doc says it's not recommended.
Closed tiagojsag closed 7 years ago
nerik
commented
7 years ago I'm not familiar with this and the why of this, could you elaborate please? The webpack doc says it's not recommended.
tiagojsag
commented
7 years ago if you try to access the content served by webpack server from a different machine (VM using IE/Edge, for example), the webpack server will give you an error, basically because you are not using localhost/0.0.0.0
This disables this protection
nerik
commented
7 years ago I'm not sure I get all the implications of this, but maybe read this first before merging: https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a
tiagojsag
commented
7 years ago Interesting read, and definitely worth keeping in mind, but doesn’t apply here, because we are not using the webpack server in production, we just use it locally.
nerik
commented
7 years ago The webpack dev server is not intended for production. What that post says from my understanding is that a malicious website could make requests to a webpack dev server running locally (thus potentially exposing dev env vars, data served from a dev/local API, etc).
tiagojsag
commented
7 years ago I’m 95% sure this only opens up a security issue on the machine running the webpack dev server, which is none in our case. But, just to be safe, maybe @agnessa can take a look
agnessa
commented
7 years ago I got a headache from reading about this but I think Erik is right, it opens up an issue on localhost. The solution to the original issue of testing in VM would be to somehow whitelist the alternative hosts we want to allow rather than turn this off. To be fair, this possibly affects many other services which we run on our local machines, no need to search far and wide: https://twitter.com/homakov/status/839066663437787136
In case we need to test this in a VM.