fix: regression in for checking Origin header

Author: timfjord

lib/Server.js

@@ -521,7 +521,12 @@ Server.prototype.checkHost = function (headers, headerToCheck) {
   if (!hostHeader) return false;
 
   // use the node url-parser to retrieve the hostname from the host-header.
-  const hostname = url.parse(`//${hostHeader}`, false, true).hostname;
+  const hostname = url.parse(
+    // if hostHeader doesn't have scheme, add // for parsing.
+    /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`,
+    false,
+    true,
+  ).hostname;
 
   // always allow requests with explicit IPv4 or IPv6-address.
   // A note on IPv6 addresses: hostHeader will always contain the brackets denoting

test/Validation.test.js

@@ -144,6 +144,19 @@ describe('Validation', () => {
       }
     });
 
+    it('should allow urls with scheme for checking origin', () => {
+      const options = {
+        public: 'test.host:80'
+      };
+      const headers = {
+        origin: 'https://test.host'
+      };
+      const server = new Server(compiler, options);
+      if (!server.checkHost(headers, 'origin')) {
+        throw new Error("Validation didn't fail");
+      }
+    });
+
     describe('allowedHosts', () => {
       it('should allow hosts in allowedHosts', () => {
         const testHosts = [