Skip to content

Commit a42c78e

Browse files
Stvadclaude
andcommitted
chore(dev): gate Tailscale-tunnel allowedHosts behind VITE_TUNNEL
Make the real-device (iPad/iPhone) testing allowance a committed, opt-in dev convenience instead of an uncommitted local edit. `server.allowedHosts: ['.ts.net']` now applies only when VITE_TUNNEL=1, so a normal `yarn dev` keeps Vite's DNS-rebinding host check intact (verified: a .ts.net Host is blocked without the flag). Update the ios-device-debug skill to start the dev server with `VITE_TUNNEL=1 yarn dev` and drop the now-unneeded vite.config.ts revert from teardown. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent d770964 commit a42c78e

2 files changed

Lines changed: 8 additions & 2 deletions

File tree

.claude/skills/ios-device-debug/SKILL.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ Then in the Tailscale **admin console** (login.tailscale.com/admin/dns) enable *
4242
tailscale serve --bg http://localhost:5173
4343
```
4444
- Target the **`localhost` hostname, not `127.0.0.1`.** Vite dev binds `[::1]:5173` (IPv6-only); serve's IPv4 default → `502`, and a bracketed `[::1]` literal → serve mangles it (`unknown proxy destination`). `localhost` resolves to `::1` and works.
45-
- Add `server.allowedHosts: ['.ts.net']` to `vite.config.ts` or the tunnel host gets **"Blocked request"** (Vite's DNS-rebinding guard). **Dev-only — don't commit it.**
45+
- Run the dev server with **`VITE_TUNNEL=1 yarn dev`** — that flips on the committed, env-gated `server.allowedHosts: ['.ts.net']` in `vite.config.ts`. Without it the tunnel host gets **"Blocked request"** (Vite's DNS-rebinding guard). It's off by default, so a normal `yarn dev` is unaffected.
4646
- Sanity-check from the Mac (Homebrew `tailscaled` doesn't wire MagicDNS into the macOS resolver, so force-resolve):
4747
```bash
4848
curl -s --resolve <your-machine>.<tailnet>.ts.net:443:$(tailscale ip -4 | head -1) \
@@ -94,8 +94,8 @@ Override the tab match (default `ts.net`) with `MATCH=<substr>`.
9494
```bash
9595
tailscale serve reset # tears down the serve config (no `off` keyword in current Tailscale)
9696
pkill -f ios_webkit_debug_proxy
97-
git checkout vite.config.ts # drop the temporary allowedHosts tweak
9897
```
98+
(Nothing to revert in `vite.config.ts` — the `allowedHosts` allowance is committed and gated behind `VITE_TUNNEL`, off unless you set it.)
9999

100100
---
101101

vite.config.ts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,12 @@ export default defineConfig(({command}) => {
3434

3535
return ({
3636
base,
37+
// Opt-in via VITE_TUNNEL=1: allow a Tailscale-serve HTTPS *.ts.net
38+
// hostname to proxy into the dev server for real-device (iPad/iPhone)
39+
// testing — otherwise Vite's DNS-rebinding host check returns "Blocked
40+
// request". Off by default; the dev server still binds localhost only
41+
// (tailscaled forwards to it). See .claude/skills/ios-device-debug.
42+
server: process.env.VITE_TUNNEL ? {allowedHosts: ['.ts.net']} : undefined,
3743
// Baked into the bundle as a literal so the client can show which
3844
// build it's running (see src/appVersion.ts). The same object is
3945
// emitted as dist/version.json below for the deploy-time update check.

0 commit comments

Comments
 (0)