Skip to content

fix: handle relative URLs in WebSocket domain filter#765

Open
Jah-yee wants to merge 1 commit intovercel-labs:mainfrom
Jah-yee:fix/relative-url-websocket
Open

fix: handle relative URLs in WebSocket domain filter#765
Jah-yee wants to merge 1 commit intovercel-labs:mainfrom
Jah-yee:fix/relative-url-websocket

Conversation

@Jah-yee
Copy link

@Jah-yee Jah-yee commented Mar 13, 2026

Description

Fixes #764 - WebSocket domain filter throws TypeError on relative URLs (e.g. webpack HMR)

Root Cause

The _checkUrl() function used new URL(url) which requires an absolute URL. Relative paths like /__webpack_hmr (webpack hot module reloading) would throw TypeError: Failed to construct URL: Invalid URL.

Fix

  • Handle relative URLs by resolving against location.origin
  • Return true for URLs without hostname (data URLs, etc.)

Testing

  • Code compiles
  • WebSocket connections with absolute URLs still filtered correctly
  • Relative URLs (webpack HMR) no longer throw errors

fix: handle relative URLs in WebSocket domain filter
4dee776 
Resolves: vercel-labs#764
- Handle relative URLs (e.g., /__webpack_hmr) by resolving against page origin
- Prevents TypeError on webpack HMR connections with relative URLs
- Returns true for URLs without hostname (data URLs, etc.)
@vercel
Copy link
Contributor

vercel bot commented Mar 13, 2026

Someone is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

vercel[bot]
vercel bot reviewed Mar 13, 2026
View reviewed changes
src/domain-filter.ts
Comment on lines +54 to +60
// Handle relative URLs (e.g., /__webpack_hmr) by resolving against page origin
var fullUrl = url;
if (url.startsWith('/') || url.startsWith('.')) {
fullUrl = location.origin + url;
}
var parsed = new URL(fullUrl);
return parsed.hostname ? _isDomainAllowed(parsed.hostname) : true;
Copy link
Contributor

@vercel vercel bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Handle relative URLs (e.g., /__webpack_hmr) by resolving against page origin
var fullUrl = url;
if (url.startsWith('/') || url.startsWith('.')) {
fullUrl = location.origin + url;
}
var parsed = new URL(fullUrl);
return parsed.hostname ? _isDomainAllowed(parsed.hostname) : true;
var parsed = new URL(url, location.origin);
return parsed.hostname ? _isDomainAllowed(parsed.hostname) : false;

Two bugs in _checkUrl: manual URL string concatenation produces invalid URLs for relative paths starting with ., and hostless URLs (data:, blob:) bypass the domain filter entirely.

Fix on Vercel

ctate
ctate requested changes Mar 13, 2026
View reviewed changes
Copy link
Collaborator

@ctate ctate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clear bug report and clean PR! One issue: the location.origin + url concatenation introduces a domain filter bypass — //evil.com/socket starts with /, resolves to example.com in the filter, but the browser connects to evil.com. Using new URL(url, location.origin) instead fixes this and also handles ./path correctly. Could you also add a test for relative URL handling? Happy to help work through the details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

@ctate ctate ctate requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

WebSocket domain filter throws TypeError on relative URLs (e.g. webpack HMR)

2 participants

@Jah-yee @ctate