From c40bd39a01efc924801050d999898443128b6ebf Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Tue, 15 Apr 2025 15:37:14 -0700
Subject: [PATCH] webpack: Disable cross-origin-header-check middleware.

This middleware in webpack-dev-server 5.2.1 appears to be intended to
plug some undisclosed browser-specific vulnerability that allows
stealing code from closed-source projects.

https://github.com/webpack/webpack-dev-server/issues/5446#issuecomment-2768816082
https://github.com/webpack/webpack-dev-server/issues/5446#issuecomment-2772150109

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 web/webpack.config.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/web/webpack.config.ts b/web/webpack.config.ts
index bc65801673..0fd6f25333 100644
--- a/web/webpack.config.ts
+++ b/web/webpack.config.ts
@@ -255,6 +255,8 @@ const config = (
                 "Access-Control-Allow-Origin": "*",
                 "Timing-Allow-Origin": "*",
             },
+            setupMiddlewares: (middlewares) =>
+                middlewares.filter((middleware) => middleware.name !== "cross-origin-header-check"),
         },
         infrastructureLogging: {
             level: "warn",