From 5cb9f6e06b9c9750381fda330077ba59148c2d3b Mon Sep 17 00:00:00 2001
From: Ojus Chugh <ojuschugh@gmail.com>
Date: Sun, 8 Mar 2026 23:02:14 +0530
Subject: [PATCH] Fix dev server rejecting non-localhost hosts when using
 FX_PROFILER_HOST

---
 CONTRIBUTING.md            |  2 +-
 scripts/lib/dev-server.mjs | 21 ++++++++++++++-------
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6d35e59306..3e4f7d5373 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -96,7 +96,7 @@ If you'd like to use [profiler.firefox.com](https://profiler.firefox.com) via UR
 FX_PROFILER_HOST="0.0.0.0" yarn start
 ```
 
-You'll probably also want to add your non-localhost domains to the `allowedHosts` property in `server.js`.
+When using `FX_PROFILER_HOST="0.0.0.0"`, any hostname is allowed so you can access the profiler from other devices on your network. If you want to expose only a specific hostname instead, set `FX_PROFILER_HOST` to that hostname directly and it will be added to the allowed hosts automatically.
 
 ## Finding something to work on
 
diff --git a/scripts/lib/dev-server.mjs b/scripts/lib/dev-server.mjs
index 23e1639e1f..210d3ecb62 100644
--- a/scripts/lib/dev-server.mjs
+++ b/scripts/lib/dev-server.mjs
@@ -24,20 +24,27 @@ const EXTRA_HEADERS = {
 };
 
 // Allowed hosts for dev server
-const ALLOWED_HOSTS = ['localhost', '.app.github.dev'];
+const BASE_ALLOWED_HOSTS = ['localhost', '.app.github.dev'];
 
-function isHostAllowed(hostHeader) {
+function isHostAllowed(hostHeader, host) {
   if (!hostHeader) {
     return false;
   }
 
-  // Extract hostname without port
+  // When binding to all interfaces, allow any host.
+  if (host === '0.0.0.0') {
+    return true;
+  }
+
   const hostname = hostHeader.split(':')[0];
 
-  // Check exact match or suffix match for wildcard patterns
-  return ALLOWED_HOSTS.some((allowedHost) => {
+  // Include the configured host in addition to the defaults.
+  const allowedHosts = BASE_ALLOWED_HOSTS.includes(host)
+    ? BASE_ALLOWED_HOSTS
+    : [...BASE_ALLOWED_HOSTS, host];
+
+  return allowedHosts.some((allowedHost) => {
     if (allowedHost.startsWith('.')) {
-      // Wildcard pattern like '.app.github.dev'
       return hostname.endsWith(allowedHost);
     }
     return hostname === allowedHost;
@@ -75,7 +82,7 @@ export async function startDevServer(buildConfig, options = {}) {
   // Create HTTP server
   const server = http.createServer((req, res) => {
     // Validate Host header
-    if (!isHostAllowed(req.headers.host)) {
+    if (!isHostAllowed(req.headers.host, host)) {
       res.writeHead(403, { 'Content-Type': 'text/plain' });
       res.end('Invalid Host header');
       return;