Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[vite 6.0.9] option server.allowedHosts doesn't take into account "true" #19242

Open
7 tasks done
Reaster0 opened this issue Jan 20, 2025 · 22 comments
Open
7 tasks done

Comments

@Reaster0
Copy link

Describe the bug

hi, i've recently updated vite to 6.0.9, the main change being the allowedHosts server conf field,

it's said in the documentation that if set to true, it will accept any hosts, but even when setting it to true i get the error:

Blocked request. This host ("hidden") is not allowed.
To allow this host, add "hidden" to server.allowedHosts in vite.config.js.

(maybe i could be dumb but it really doesn't seem to work)

Reproduction

google.com

Steps to reproduce

No response

System Info

System:
    OS: Linux 6.8 Ubuntu 24.04.1 LTS 24.04.1 LTS (Noble Numbat)
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
    Memory: 4.68 GB / 15.34 GB
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 18.19.1 - /usr/bin/node
    npm: 9.2.0 - /usr/bin/npm
  Browsers:
    Chrome: 132.0.6834.83
  npmPackages:
    @vitejs/plugin-react: ^4.2.0 => 4.2.1 
    vite: 6.0.9 => 6.0.9

Used Package Manager

npm

Logs

No response

Validations

@keyurmeandev

This comment has been minimized.

@sunilranaLivspace
Copy link

Yes, same issue coming to me as well when I am trying below config in my vite config file (vite.config.ts). Please fix it.

import { defineConfig } from 'vite';
import react from '@vitejs/plugin-react';

export default defineConfig({
	plugins: [react()],
	build: {
		outDir: 'dist',
		target: 'esnext',
	},
	preview: {
		port: 3000,
		strictPort: true,
		host: '0.0.0.0', 
		allowedHosts: true,
	},
	server: {
		allowedHosts: true
	},
});

@keyurmeandev
Copy link

https://vite.dev/config/server-options#server-allowedhosts

Tried to follow the same procedure but not working..

Blocked request. This host ("hostname") is not allowed.
To allow this host, add "hostname" to server.allowedHosts in vite.config.js.

@sapphi-red
Copy link
Member

sapphi-red commented Jan 21, 2025

I wasn't able to reproduce it with a simple setup. I need a reproduction to investigate this one.

Copy link

Hello @Reaster0. Please provide a minimal reproduction using a GitHub repository or StackBlitz. Issues marked with needs reproduction will be closed if they have no activity within 3 days.

@gregorvand
Copy link

gregorvand commented Jan 21, 2025

Also encountering this after pushing an update today, no changes to vite config
Running on GCP / Cloud Run

@gregorvand
Copy link

I resolved this by updating vite.config - what's odd here is that I had not upgraded to 6+ and the error just presented overnight.
Also the type definitions are not happy with this addition, but it works:

export default defineConfig({
	plugins: [sveltekit()],
	server: {
		cors: {
			origin: ['https://mysubdomain.domain.io', 'http://localhost:5173'],
			methods: ['GET', 'POST'],
			allowedHeaders: ['Content-Type']
		},
		allowedHosts: ['mysubdomain.domain.io'] //added this
	}
});

@rodrigocfd
Copy link

The problem still exists in 6.0.11.

Downgrading to 6.0.8 makes it work.

@OxCom
Copy link

OxCom commented Jan 21, 2025

Hm... please take a look into tools that use vite to run. For example I have same issue with vite + storybook, because of storybook. I defined in storybook config the server options:

import {mergeConfig} from 'vite';

// ...

async viteFinal(config) {
        return mergeConfig(config, {
            server: {
                hmr: {
                    path: '/ws'
                }
            }
        });
    },

and the problem is that mergeConfig will replace server options from vite

@rodrigocfd
Copy link

Hm... please take a look into tools that use vite to run.

Mine is just a plain Vite project with React. Nothing else.

@Reaster0
Copy link
Author

Reaster0 commented Jan 21, 2025

i'm not sure i have the time rn to make a replication for something this simple,
if someone want to provide one

in the mean time i've rollbacked to 6.0.8

it's really a breaking issue for a lot of people,

changing the default allowedHost from 0.0.0.0 to localhost and having a bug on the same field to set back to 0.0.0.0 will break a lot of vite installations,
i'll stick on 6.0.8 until it's fixed,
thanks for your hard work nonetheless, vite is great

@Reaster0
Copy link
Author

I resolved this by updating vite.config - what's odd here is that I had not upgraded to 6+ and the error just presented overnight. Also the type definitions are not happy with this addition, but it works:

export default defineConfig({
plugins: [sveltekit()],
server: {
cors: {
origin: ['https://mysubdomain.domain.io', 'http://localhost:5173'],
methods: ['GET', 'POST'],
allowedHeaders: ['Content-Type']
},
allowedHosts: ['mysubdomain.domain.io'] //added this
}
});

yes you can set the hosts you want in allowedHosts, the bug we encounter specifically is when setting allowedHosts to "true"

@sapphi-red
Copy link
Member

sapphi-red commented Jan 22, 2025

I've tried it again but still cannot reproduce. I need a reproduction.

@gregorvand
Copy link

yes you can set the hosts you want in allowedHosts, the bug we encounter specifically is when setting allowedHosts to "true"

Understood, I also tried allowedHosts: true and it was breaking under that.

I am now using 6.0.10 so can only speak to that version.

@arifszn
Copy link

arifszn commented Jan 23, 2025

Also happening for latest 4.x.x version. Downgrading to v4.4.5 fixed it.

@volodymyr-nadolskyi-GL

This comment has been minimized.

@sapphi-red
Copy link
Member

Caution

Please note that downgrading will make you vulnerable to attacks described in GHSA-vg6x-rcgg-rjx6.

@Earu

This comment has been minimized.

@sapphi-red
Copy link
Member

So, we have two choices: an insecure version or a buggy version...

No, those are not the only choices.
You have a third choice to create a PR that fixes your problem, and a fourth choice to create a reproduction so that others can investigate the cause.

@augustoamaro
Copy link

Blocked request. This host ("myhost.com") is not allowed.
To allow this host, add "myhost.com" to preview.allowedHosts in vite.config.js.

  • I added it to vite.config.js and it didn't work.
  • I downgraded to version 4.5.0 and it remains the same
  • I'm using nginx in my server
  • The application is being run in Docker

@arifszn
Copy link

arifszn commented Jan 24, 2025

Blocked request. This host ("myhost.com") is not allowed. To allow this host, add "myhost.com" to preview.allowedHosts in vite.config.js.

  • I added it to vite.config.js and it didn't work.
  • I downgraded to version 4.5.0 and it remains the same
  • I'm using nginx in my server
  • The application is being run in Docker

Downgrade to 4.4.5.

@JustinYLee
Copy link

putting all the settings in the server block worked for allowedHosts: true or ['dev.mydomain.com']

no problem with "npm run dev"

I was accessing my dev server from outside network domain name. I configured my router to forward port 8080 to the dev server. It would error without the setting.

import { fileURLToPath, URL } from 'node:url'

import { defineConfig } from 'vite'
import vue from '@vitejs/plugin-vue'
import vueDevTools from 'vite-plugin-vue-devtools'

// https://vite.dev/config/
export default defineConfig({
plugins: [
vue(),
vueDevTools(),
],
server: {
port: 8080,
strictPort:true,
host: '0.0.0.0',
//allowedHosts: ['dev.mydomain.com']
allowedHosts: true
},
resolve: {
alias: {
'@': fileURLToPath(new URL('./src', import.meta.url))
},
},
})

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests