fix host/origin header validation in local explorer

[emily-shen]

Previously, we were checking host/origin header in the explorer worker to ensure we only allow same-origin localhost reqs. However, if you have a route set (custom domain etc.), Miniflare does its best to make it look like your local dev is coming from that host, and rewrites headers etc. accordingly. This means we were incorrectly blocking requests as cross-origin when you had a route set - when the local explorer UI makes a request to the local explorer API and the origin and host headers are both my-site.com etc., but our allowed host lists was only localhost.

Also, Wrangler's Proxy miniflare instance (the startDevWorker proxy worker) rewrites headers too, to complicate things.

Basically this PR gets the user routes, adds it to our allowed hosts lists and then everything seems to work.

I've moved the check to the entry worker since we have access to the routes there. I'm only doing this check on explorer routes, because i'm worried this could block some legit usecase i haven't thought of, but if we don't see issues after the local explorer gets use, we could consider moving this to cover all cdn-cgi routes.

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: wip experimental feature

A picture of a cute animal (not mandatory, but encouraged)

[changeset-bot]

🦋 Changeset detected

Latest commit: 223033c

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

✅ All changesets look good

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@12869

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@12869

miniflare

npm i https://pkg.pr.new/miniflare@12869

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@12869

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@12869

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@12869

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@12869

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@12869

wrangler

npm i https://pkg.pr.new/wrangler@12869

commit: c16b6e3

[workers-devprod]

Codeowners approval required for this PR:

• ✅ @cloudflare/wrangler

Show detailed file reviewers