[PS-1152] CLI serve forbid browser requests (#3220)

* Inconsiquential change to allow a draft PR

* Serve blocks requests from browsers by default

Option is provided to override this behavior for backwards
compatibility.

* Revert "Inconsiquential change to allow a draft PR"

This reverts commit 0f51344c35.

apps/cli/src/commands/serve.command.ts

@@ -149,14 +149,31 @@ export class ServeCommand {
   }
 
   async run(options: program.OptionValues) {
+    const protectOrigin = !options.disableOriginProtection;
     const port = options.port || 8087;
     const hostname = options.hostname || "localhost";
+    this.main.logService.info(
+      `Starting server on ${hostname}:${port} with ${
+        protectOrigin ? "origin protection" : "no origin protection"
+      }`
+    );
+
     const server = new koa();
     const router = new koaRouter();
     process.env.BW_SERVE = "true";
     process.env.BW_NOINTERACTION = "true";
 
-    server.use(koaBodyParser()).use(koaJson({ pretty: false, param: "pretty" }));
+    server
+      .use(async (ctx, next) => {
+        if (protectOrigin && ctx.headers.origin != undefined) {
+          ctx.status = 403;
+          this.main.logService.warning(`Blocking request from ${ctx.headers.origin}`);
+          return;
+        }
+        await next();
+      })
+      .use(koaBodyParser())
+      .use(koaJson({ pretty: false, param: "pretty" }));
 
     router.get("/generate", async (ctx, next) => {
       const response = await this.generateCommand.run(ctx.request.query);