diff --git a/app/server/lib/requestUtils.ts b/app/server/lib/requestUtils.ts index 34c93d2e..ab7243e3 100644 --- a/app/server/lib/requestUtils.ts +++ b/app/server/lib/requestUtils.ts @@ -117,7 +117,7 @@ export function matchesBaseDomain(domain: string, baseDomain: string) { } export function isEnvironmentAllowedHost(url: string|URL) { - const urlHost = (typeof url === 'string') ? url : url.host; + const urlHost = (typeof url === 'string') ? url : url.hostname; return (process.env.GRIST_ALLOWED_HOSTS || "").split(",").some(domain => domain && matchesBaseDomain(urlHost, domain) ); diff --git a/test/server/lib/DocApi.ts b/test/server/lib/DocApi.ts index 9e6af838..0ec6feaa 100644 --- a/test/server/lib/DocApi.ts +++ b/test/server/lib/DocApi.ts @@ -3035,6 +3035,7 @@ function testDocApi() { await checkOrigin("https://www.toto.com", 403, "Unrecognized origin"); await checkOrigin("https://badexample.com", 403, "Unrecognized origin"); await checkOrigin("https://bad.com/example.com/toto", 403, "Unrecognized origin"); + await checkOrigin("https://example.com:3000/path", 200); await checkOrigin("https://example.com/path", 200); await checkOrigin("https://good.example.com/toto", 200); }); @@ -3133,7 +3134,7 @@ class TestServer { REDIS_URL: process.env.TEST_REDIS_URL, APP_HOME_URL: _homeUrl, ALLOWED_WEBHOOK_DOMAINS: `example.com,localhost:${webhooksTestPort}`, - GRIST_ALLOWED_HOSTS: `example.com,localhost:${webhooksTestPort}`, + GRIST_ALLOWED_HOSTS: `example.com,localhost`, ...process.env };