From 7d8453cbecee287110d84cfd231b3e2f7dd16add Mon Sep 17 00:00:00 2001
From: Matthias Andrasch <777278+mandrasch@users.noreply.github.com>
Date: Wed, 5 Feb 2025 12:26:54 +0100
Subject: [PATCH] fix: improve cors security

---
 README.md      | 5 +++--
 vite.config.js | 9 ++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 9e935ff..b360d32 100644
--- a/README.md
+++ b/README.md
@@ -157,8 +157,9 @@ web_extra_exposed_ports:
         strictPort = true,
         // origin is important, see https://nystudio107.com/docs/vite/#vite-processed-assets
         origin: `${process.env.DDEV_PRIMARY_URL}:5173`
-        // Configure CORS for the dev server (security)
-       cors: { origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(localhost|\.site)(?::\d+)?$/ },
+        // Configure CORS securely for the Vite dev server to allow requests
+      // from *.ddev.site domains, supports additional hostnames (via regex)
+      cors: { origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(\.ddev\.site)(?::\d+)?$/ },
     },
 ```
 
diff --git a/vite.config.js b/vite.config.js
index 0c79a30..1ebb892 100644
--- a/vite.config.js
+++ b/vite.config.js
@@ -49,16 +49,15 @@ export default ({ command }) => ({
     },
     // adjustments for ddev:
     server: {
-        // respond to all network requests:
+        // Respond to all network requests
         host: '0.0.0.0',
         port: port,
         strictPort: true,
         // origin is important, see https://nystudio107.com/docs/vite/#vite-processed-assets
         origin: origin,
-        // Configure CORS for devserver (security)
-        cors: {
-            origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(localhost|\.site)(?::\d+)?$/
-        },
+        // Configure CORS securely for the Vite dev server to allow requests
+        // from *.ddev.site domains, supports additional hostnames (via regex)
+        cors: { origin: /https?:\/\/([A-Za-z0-9\-\.]+)?(\.ddev\.site)(?::\d+)?$/ },
     },
     plugins: [
         ViteRestart({