Remove lvh.me

[Mardoxx]

I don't care for someone else's domain.

[Mardoxx]

vite-plugin-basic-ssl/src/certificate.ts

Lines 98 to 105 in 4cbc65e

	{
	type: 2,
	value: 'lvh.me',
	},
	{
	type: 2,
	value: '*.lvh.me',
	},

[Mardoxx]

I don't know when, but some update, now vite is listening on

  ➜  Local:   https://localhost:5173/
  ➜  Local:   https://localhost.localdomain:5173/
  ➜  Local:   https://lvh.me:5173/
  ➜  Local:   https://vite.lvh.me:5173/

I'd love to know why.

[Mardoxx]

basicSsl({
  domains: ['whatever.localhost'],
  certDir: './certs',
})

Does not override either. Which is not great - it shouldn't append, it should override imo.

[Mardoxx]

Okay it seems vite's ssl automatically listens on , and accepts traffic from, all san in the cert regardless of what you set server.allowedHosts to.

[Mardoxx]

Not sure where it is generating vite.lvh.me from though.

[bluwy]

Some information about lvh.me here: https://stackoverflow.com/questions/51583321/it-is-safe-to-use-lvh-me-instead-of-localhost-for-testing

I suppose we can remove it to discourage its usage. The reason it's showing the URLs now is due to a recent Vite update that shows the possible URLs you can use to access your site locally. You were always able to access through lvh.me, just that the QoL change is revealing it.

[tkoeppen]

this is a potential future security risk (supply chain attack).
someone who own lvh.me changes dns entry from 127.0.0.1 to something else and the supply chain attack is there.

solution: remove any relation to lvh.me from the project

[peter-at-work]

Developers put a higher level of trust on this plugin, being under the vitejs organization, compared to external plugins that perform the same thing. References to an external service like lvh.me not controlled by vitejs, adds to the risk of supply chain attacks and information leakage.

FWIW, subdomains under localhost, like foo.bar.localhost, are starting to be resolved to 127.0.0.1 on modern operating systems, including the latest Windows network stack.