From 92b5c0830662f8baebc6fd4eadfd5ddd3de963a3 Mon Sep 17 00:00:00 2001
From: Jasper De Moor <jasperdemoor@gmail.com>
Date: Mon, 24 Sep 2018 20:49:56 -0700
Subject: [PATCH] fix security vuln (#1794)

---
 src/HMRServer.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/HMRServer.js b/src/HMRServer.js
index 45176385e90..286d7bb5014 100644
--- a/src/HMRServer.js
+++ b/src/HMRServer.js
@@ -17,7 +17,17 @@ class HMRServer {
         this.server = https.createServer(await getCertificate(options.https));
       }
 
-      this.wss = new WebSocket.Server({server: this.server});
+      let websocketOptions = {
+        server: this.server
+      };
+
+      if (options.hmrHostname) {
+        websocketOptions.origin = `${options.https ? 'https' : 'http'}://${
+          options.hmrHostname
+        }`;
+      }
+
+      this.wss = new WebSocket.Server(websocketOptions);
       this.server.listen(options.hmrPort, resolve);
     });