Skip to content

docs: clarify network threat boundary in security policy#10503

Open
hi-ogawa wants to merge 7 commits into
vitest-dev:mainfrom
hi-ogawa:docs-tweak-security-md
Open

docs: clarify network threat boundary in security policy#10503
hi-ogawa wants to merge 7 commits into
vitest-dev:mainfrom
hi-ogawa:docs-tweak-security-md

Conversation

@hi-ogawa

@hi-ogawa hi-ogawa commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

We adopted Vite's security policy and threat model in #10433 but its "Network data and untrusted clients" wording can be read as a promise that any network client is in scope. That was never something the dev-server API was built to do: the UI and browser mode intentionally expose a privileged (write/exec-capable) API on localhost and we call out that alloweExec/Write options are only safe for controlled localhost environment.

This PR makes the boundary explicit instead of implied:

  • In scope: browser-reachable attacks against a localhost-bound dev server (cross-origin pages, DNS rebinding) when Origin/Host validation is missing or bypassable.
  • Out of scope: reachability that exists only because the developer port-forwarded the server, bound it to a public interface (--host), or put it on a shared/untrusted network — that is developer-managed infrastructure.

This mirrors where browser dev tooling drew the same line. Chrome's DevTools/CDP endpoint:

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. If the feature is substantial or introduces breaking changes without a discussion, PR might be closed.
  • Ideally, include a test that fails without this PR but passes with it.
  • Please, don't make changes to pnpm-lock.yaml unless you introduce a new test example.
  • Please check Allow edits by maintainers to make review process faster. Note that this option is not available for repositories that are owned by Github organizations.

Tests

  • Run the tests with pnpm test:ci.

Documentation

  • If you introduce new functionality, document it. You can run documentation with pnpm run docs command.

Changesets

  • Changes in changelog are generated from PR name. Please, make sure that it explains your changes in an understandable manner. Please, prefix changeset messages with feat:, fix:, perf:, docs:, or chore:.

@hi-ogawa hi-ogawa changed the title docs: tweak SECURITY.md docs: update security policy Jun 2, 2026
@netlify

netlify Bot commented Jun 2, 2026

Copy link
Copy Markdown

Deploy Preview for vitest-dev ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 87b40cf
🔍 Latest deploy log https://app.netlify.com/projects/vitest-dev/deploys/6a1e7c2f6e0c1700085d5ddb
😎 Deploy Preview https://deploy-preview-10503--vitest-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@hi-ogawa hi-ogawa self-assigned this Jun 8, 2026
hi-ogawa and others added 3 commits June 23, 2026 14:06
@hi-ogawa
Merge branch 'main' into docs-tweak-security-md
ba848b5
@hi-ogawa
docs: clarify network threat boundary in security policy
75c6fab 
Define the in-scope untrusted client as browser-reachable (cross-origin /
localhost), re-anchor the WebSocket in-scope example to a cross-origin page,
and lead the network-exposure carve-out with the principle that defenses
target browser-reachable attackers rather than arbitrary network peers.

Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
@hi-ogawa
docs: drop redundant origin/host validation hedges
4864b20 
The cross-origin-page in-scope example and the carve-out's in-scope note
repeated the "origin/host validation missing or bypassable" precondition
already stated in the example above them. Keep the cross-origin callout as
the salient property and drop the redundant clauses.

Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
@hi-ogawa hi-ogawa changed the title docs: update security policy docs: clarify network threat boundary in security policy Jun 23, 2026
hi-ogawa and others added 3 commits June 23, 2026 15:01
@hi-ogawa
docs: smooth carve-out wording
03b2388 
Fold "not arbitrary network peers" into the scoping sentence as a contrast
instead of a semicolon-joined clause.

Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
@hi-ogawa
docs: cover reverse proxy and allowedHosts in network exposure carve-out
0032324 
Name reverse proxy / tunnel (Host rewriting) and relaxing Vite's
`server.allowedHosts` as developer-initiated exposure, so reachability
gained by disabling Vite's host allowlist is treated the same as
port-forwarding rather than as a Vitest network-authentication gap.

Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
@hi-ogawa
docs: drop allowedHosts from network exposure carve-out
031a25c 
Whether relaxing `server.allowedHosts` is in or out of scope is Vite's
call to make in Vite's own policy, not Vitest's to adjudicate. Keep the
carve-out to reachability of Vitest's own server (port-forward, reverse
proxy / tunnel, public bind, shared network).

Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
@hi-ogawa hi-ogawa marked this pull request as ready for review June 23, 2026 06:31
@hi-ogawa hi-ogawa removed their assignment Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sheremet-va sheremet-va Awaiting requested review from sheremet-va
@AriPerkkio AriPerkkio Awaiting requested review from AriPerkkio

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hi-ogawa