Webpack-dev-server: [bug] Can't use `disableHostCheck` option - v2.4.3
When trying to use the disableHostCheck option with v2.4.3, I get:
Warning: Invalid configuration object. webpack-dev-server has been initialised using a configuration object that does not match the API schema.
- configuration has an unknown property 'disableHostCheck'. These properties are valid:
object { hot?, hotOnly?, lazy?, host?, filename?, publicPath?, port?, socket?, watchOptions?, headers?, clientLogLevel?, overlay?, key?, cert?, ca?, pfx?, pfxPassphrase?, inline?, public?, https?, contentBase?, watchContentBase?, open?, features?, compress?, proxy?, historyApiFallback?, staticOptions?, setup?, stats?, reporter?, noInfo?, quiet?, serverSideRender?, index?, log?, warn? } Use --force to continue.
I'm guessing disableHostCheck just needs to be added to optionsSchema.json.
nwoltman
All 11 comments
Could you explain why you want to disable this security feature?
sokra
on 23 Apr 2017
released in v2.4.4
sokra
on 23 Apr 2017
@sokra, can it be that this is connected with https://github.com/webpack/webpack-dev-server/issues/533#issuecomment-296438189?
karolyi
on 23 Apr 2017
@sokra Sometimes I need to test out features directly on my phone, and to do that I need to use the IP address of my computer that's running webpack-dev-server as the host to be able to connect to it.
I'm not totally sure that this security feature is necessary for me because when I use webpack-dev-server I'm either on a network with people I trust (home or work), or if I'm on a public network I keep my ports closed.
nwoltman
on 23 Apr 2017
This security feature protects against a DNS rebinding attack I reported privately to the webpack team, which may still affect you depending on your exact setup.
edmorley
on 23 Apr 2017
Oh I see. In that case I'll leave the host check enabled and only disable it when I absolutely need to (which is rarely anyway).
@edmorley At some point in the future, would you be able to share this attack with the community?
nwoltman
on 23 Apr 2017
@edmorley @sokra is there a recommended solution for hitting a local dev server from a tablet without having to enable this flag then? That's a pretty common workflow for me at work and it sounds like @nwoltman is in the same boat.
bdwain
on 24 Apr 2017
@edmorley At some point in the future, would you be able to share this attack with the community?
I've filed a retrospective GitHub issue with the original private disclosure email wording, which should hopefully make things a bit clearer: #887 - happy to answer any additional questions.
I've also made a suggestion about improving the UX for the "use a dynamic IP to access from a mobile device" case in https://github.com/webpack/webpack-dev-server/issues/882#issuecomment-296794972
edmorley
on 24 Apr 2017
@bdwain have you tried setting host: 0.0.0.0?
grgur
on 16 May 2017
I am still unable to use disableHostCheck flag -_-
ng serve --host 0.0.0.0 --disableHostCheck=true
help please
tanzeelrana
on 10 Jun 2017
@tanzeelrana That sounds like a feature request to open with Angular CLI project. Their CLI has to support disableHostCheck option and pass it to Webpack.
chai-jay
on 9 May 2018
Related issues
Ky6uk
路
3Comments
movie4
路
3Comments
gimmi
路
3Comments
da2018
路
3Comments
eyakcn
路
3Comments
Most helpful comment
@sokra Sometimes I need to test out features directly on my phone, and to do that I need to use the IP address of my computer that's running webpack-dev-server as the host to be able to connect to it.
I'm not totally sure that this security feature is necessary for me because when I use webpack-dev-server I'm either on a network with people I trust (home or work), or if I'm on a public network I keep my ports closed.