[bug] Can't use `disableHostCheck` option - v2.4.3

Question

[bug] Can't use `disableHostCheck` option - v2.4.3

nwoltman opened this issue 8 years ago · 11 comments

When trying to use the disableHostCheck option with v2.4.3, I get:

Warning: Invalid configuration object. webpack-dev-server has been initialised using a configuration object that does not match the API schema.
 - configuration has an unknown property 'disableHostCheck'. These properties are valid:
   object { hot?, hotOnly?, lazy?, host?, filename?, publicPath?, port?, socket?, watchOptions?, headers?, clientLogLevel?, overlay?, key?, cert?, ca?, pfx?, pfxPassphrase?, inline?, public?, https?, contentBase?, watchContentBase?, open?, features?, compress?, proxy?, historyApiFallback?, staticOptions?, setup?, stats?, reporter?, noInfo?, quiet?, serverSideRender?, index?, log?, warn? } Use --force to continue.

I'm guessing disableHostCheck just needs to be added to optionsSchema.json.

Answer 1 · 2017-04-23T11:23:18.000Z

Could you explain why you want to disable this security feature?

Answer 2 · 2017-04-23T11:34:07.000Z

released in v2.4.4

Answer 3 · 2017-04-23T11:58:44.000Z

@sokra, can it be that this is connected with #533 (comment)?

Answer 4 · 2017-04-23T15:40:15.000Z

@sokra Sometimes I need to test out features directly on my phone, and to do that I need to use the IP address of my computer that's running webpack-dev-server as the host to be able to connect to it.

I'm not totally sure that this security feature is necessary for me because when I use webpack-dev-server I'm either on a network with people I trust (home or work), or if I'm on a public network I keep my ports closed.

Answer 5 · 2017-04-23T15:49:12.000Z

This security feature protects against a DNS rebinding attack I reported privately to the webpack team, which may still affect you depending on your exact setup.

Answer 6 · 2017-04-23T16:25:14.000Z

Oh I see. In that case I'll leave the host check enabled and only disable it when I absolutely need to (which is rarely anyway).
@edmorley At some point in the future, would you be able to share this attack with the community?

Answer 7 · 2017-04-24T17:56:56.000Z

@edmorley @sokra is there a recommended solution for hitting a local dev server from a tablet without having to enable this flag then? That's a pretty common workflow for me at work and it sounds like @nwoltman is in the same boat.

Answer 8 · 2017-04-24T19:34:00.000Z

@edmorley At some point in the future, would you be able to share this attack with the community?

I've filed a retrospective GitHub issue with the original private disclosure email wording, which should hopefully make things a bit clearer: #887 - happy to answer any additional questions.

I've also made a suggestion about improving the UX for the "use a dynamic IP to access from a mobile device" case in #882 (comment)

Answer 9 · 2017-05-16T18:23:01.000Z

@bdwain have you tried setting host: 0.0.0.0?

Answer 10 · 2017-06-10T21:24:37.000Z

I am still unable to use disableHostCheck flag -_-

ng serve --host 0.0.0.0 --disableHostCheck=true

help please

Answer 11 · 2018-05-09T18:38:16.000Z

@tanzeelrana That sounds like a feature request to open with Angular CLI project. Their CLI has to support disableHostCheck option and pass it to Webpack.