rojo-rbx/rojo
1
0
Fork 1
mirror of https://github.com/rojo-rbx/rojo.git synced 2026-06-12 23:00:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add origin/host validation and warning for exposed serves (#1270)

Browse Source
This commit is contained in:
boatbomber
2026-06-07 15:51:05 -07:00
committed by GitHub
parent 444dc11b26
commit ac6941f054
10 changed files with 852 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@@ -44,6 +44,7 @@ Making a new release? Simply add the new header with the version and date undern
* Fixed the sync fallback scrambling sibling order; replacements are now re-parented ancestors-first and in their original child order. ([#1265])
* Instances that share a name and class are now robustly matched on resync by comparing their properties, instead of relying on child order alone. ([#1266])
* Rojo now reports a clear error instead of panicking in several cases, including when the `serve` port is already in use, when a synced file is read-only or locked, when the filesystem watcher can't be created, and when the working directory is inaccessible. ([#1267])
* `rojo serve` now validates the `Host`/`Origin` headers to protect the local/private server against DNS rebinding, gates `/api/open` to local clients, and warns when bound to a network-reachable address. The accepted hosts can be extended with the `--allowed-hosts` option or a project's `serveAllowedHosts` field, for example to reach a network-exposed server by hostname. ([#1270])
[#1176]: https://github.com/rojo-rbx/rojo/pull/1176
[#1179]: https://github.com/rojo-rbx/rojo/pull/1179
@@ -58,6 +59,7 @@ Making a new release? Simply add the new header with the version and date undern
[#1265]: https://github.com/rojo-rbx/rojo/pull/1265
[#1266]: https://github.com/rojo-rbx/rojo/pull/1266
[#1267]: https://github.com/rojo-rbx/rojo/pull/1267
[#1270]: https://github.com/rojo-rbx/rojo/pull/1270
## [7.7.0-rc.1] (November 27th, 2025)