fix(ws): stricter check on web socket origins

To avoid CORS vulnerabilities

Author: haoqunjiang

packages/@vue/cli/lib/ui.js

@@ -6,10 +6,14 @@ const { setNotificationCallback } = require('@vue/cli-ui/apollo-server/util/noti
 function simpleCorsValidation (allowedHost) {
   return function (req, socket) {
     const { host, origin } = req.headers
-    // maybe we should just use strict string equal?
-    const hostRegExp = new RegExp(`^https?://(${host}|${allowedHost}|localhost)(:\\d+)?$`)
 
-    if (!origin || !hostRegExp.test(origin)) {
+    const safeOrigins = [
+      host,
+      allowedHost,
+      'localhost'
+    ]
+
+    if (!origin || !safeOrigins.includes(new URL(origin).hostname)) {
       socket.destroy()
     }
   }