Builder-Vite: Fix defaulting to allowing all hosts

[JReinhold]

What I did

This PR partially reverts #30432 . The default behavior is now to follow Vite, in not allowing any hosts but localhost. However it's still possible to overwrite this with the --host CLI flag or in viteFinal.

It shows an error crude message in the iframe, but only when visiting the iframe.html directly, because the manager's loading spinner obscures the iframe:

Therefore, it shows the same message in the console, both in the iframe and the manager:

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

1. Edit your /etc/hosts file (sudo required) and add the following line: 127.0.0.1 my-custom.local
2. Start up the Storybook UI
3. Visit localhost:6006 and see that everything works
4. Visit my-custom.local:6006 and see that the story loads infinitely, but you get the error message in the console.
5. Visit my-custom.local:6006/iframe.html and see that you get the error message in the DOM
6. Restart Storybook with yarn storybook:ui --host my-custom.local
7. Visit localhost:6006 and see that everything works
8. Visit my-custom.local:6006 and see that everything works
9. Edit code/.storybook/main.ts and add allowedHosts: ['my-custom.local'] to the server property in the viteFinal hook.
10. Restart Storybook without the --host flag
11. Visit localhost:6006 and see that everything works
12. Visit my-custom.local:6006 and see that everything works

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

name	before	after	diff	z	%
createSize	0 B	0 B	0 B	-	-
generateSize	80.5 MB	80.5 MB	79 B	0.36	0%
initSize	80.5 MB	80.5 MB	79 B	0.36	0%
diffSize	97 B	97 B	0 B	-	0%
buildSize	7.31 MB	7.31 MB	1.43 kB	1.24	0%
buildSbAddonsSize	1.9 MB	1.9 MB	0 B	1.14	0%
buildSbCommonSize	195 kB	195 kB	0 B	-	0%
buildSbManagerSize	1.88 MB	1.88 MB	0 B	1.06	0%
buildSbPreviewSize	0 B	0 B	0 B	-	-
buildStaticSize	0 B	0 B	0 B	-	-
buildPrebuildSize	3.97 MB	3.97 MB	0 B	1.14	0%
buildPreviewSize	3.34 MB	3.34 MB	1.43 kB	1.29	0%
testBuildSize	0 B	0 B	0 B	-	-
testBuildSbAddonsSize	0 B	0 B	0 B	-	-
testBuildSbCommonSize	0 B	0 B	0 B	-	-
testBuildSbManagerSize	0 B	0 B	0 B	-	-
testBuildSbPreviewSize	0 B	0 B	0 B	-	-
testBuildStaticSize	0 B	0 B	0 B	-	-
testBuildPrebuildSize	0 B	0 B	0 B	-	-
testBuildPreviewSize	0 B	0 B	0 B	-	-

name	before	after	diff	z	%
createTime	14s	24.5s	10.5s	0.59	42.9%
generateTime	18.8s	19.1s	304ms	-0.43	1.6%
initTime	4.4s	4.3s	-88ms	-1.33	-2%
buildTime	8.3s	8.6s	296ms	-0.77	3.4%
testBuildTime	0ms	0ms	0ms	-	-
devPreviewResponsive	5.9s	5.1s	-880ms	-0.41	-17.2%
devManagerResponsive	4.7s	3.8s	-842ms	-0.38	-21.8%
devManagerHeaderVisible	983ms	756ms	-227ms	-0.26	-30%
devManagerIndexVisible	996ms	767ms	-229ms	-0.43	-29.9%
devStoryVisibleUncached	4.5s	3.5s	-1s -29ms	0.07	-29.2%
devStoryVisible	1s	788ms	-282ms	-0.48	-35.8%
devAutodocsVisible	918ms	745ms	-173ms	-0.05	-23.2%
devMDXVisible	868ms	754ms	-114ms	0.09	-15.1%
buildManagerHeaderVisible	844ms	718ms	-126ms	-0.91	-17.5%
buildManagerIndexVisible	855ms	728ms	-127ms	-1.34	🔰-17.4%
buildStoryVisible	793ms	685ms	-108ms	-0.8	-15.8%
buildAutodocsVisible	584ms	532ms	-52ms	-0.64	-9.8%
buildMDXVisible	654ms	688ms	34ms	0.42	4.9%

Greptile Summary

Based on the provided information, I'll create a concise summary of the key changes in this PR:

This PR modifies Vite server configuration in Storybook to improve security by restricting allowed hosts to localhost by default.

• Modified code/builders/builder-vite/src/vite-server.ts to follow Vite's default secure behavior of only allowing localhost access
• Added error handling in code/builders/builder-vite/input/iframe.html to display helpful messages when accessing from non-allowed hosts
• Added support for overriding host restrictions via --host CLI flag or viteFinal configuration
• Improved error messaging in both console and iframe when accessing from unauthorized hosts
• Maintains backward compatibility by allowing custom hosts through explicit configuration

The changes represent a security improvement while maintaining flexibility for developers who need to access Storybook from non-localhost addresses.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 65548b1.

Command	Status	Duration	Result
nx run-many -t build --parallel=3	✅ Succeeded	2m	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-02-14 08:04:09 UTC

[greptile-apps]

_{2 file(s) reviewed, 3 comment(s)
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

style: The IP regex will match invalid IPs like 999.999.999.999. Consider using a more robust IP validation method.

Suggested change

	const ipRegex = /^(?:\d{1,3}\.){3}\d{1,3}$|^(?:[a-fA-F0-9]{1,4}:){7}[a-fA-F0-9]{1,4}$/;
	const ipRegex = /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(?:[a-fA-F0-9]{1,4}:){7}[a-fA-F0-9]{1,4}$/;

[valentinpalkovic]

This regex gets too complex. Please add a comment of what it actually should match.

[JReinhold]

I'd love to, but I didnt write it so I dont know 🤷‍♀️

[greptile-apps]

logic: HTML injection could be unsafe if hostname contains malicious content. Consider sanitizing hostname before inserting into innerHTML

Suggested change

	document.getElementById('storybook-root').innerHTML =
	`<p style="color: red; max-width: 70ch">${message.replaceAll(
	'\n',
	'<br/>'
	)}<ul>${docs.map((doc) => `<li><a href='${doc}' target='_blank'>${doc}</a></li>`).join('')}<ul></p>`;
	const sanitizedHostname = hostname.replace(/[<>"'&]/g, ''); // Basic HTML escaping
	document.getElementById('storybook-root').innerHTML =
	`<p style="color: red; max-width: 70ch">${message.replaceAll(
	'\n',
	'<br/>'
	).replace(hostname, sanitizedHostname)}<ul>${docs.map((doc) => `<li><a href='${doc}' target='_blank'>${doc}</a></li>`).join('')}</ul></p>`;

[shilman]

Thanks so much @JReinhold !!! Perfect is the enemy of the good 😉