fix(@angular-devkit/build-angular): remove unconditional CORS wildcard from webpack dev-server

[filbertsaputro]

PR Checklist

Please check to confirm your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/angular/angular-cli/blob/main/CONTRIBUTING.md#-commit-message-guidelines
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Other... Please describe: Security hardening (aligning legacy webpack dev-server defaults with the modern @angular/build builder)

What is the current behavior?

The legacy webpack-based dev-server bundled with @angular-devkit/build-angular:dev-server unconditionally sets Access-Control-Allow-Origin: * on every response in packages/angular_devkit/build_angular/src/tools/webpack/configs/dev-server.ts. This overrides webpack-dev-server cross-origin protections (added in 5.2.1 to address CVE-2025-30359 / CVE-2025-30360) and allows any web page a developer visits to read the full content of the local dev server cross-origin.

Background and ecosystem retrospective: https://green.sapphi.red/blog/addressing-source-code-leaks-across-the-ecosystem-a-retrospective

Issue Number: N/A

What is the new behavior?

The unconditional Access-Control-Allow-Origin: * header is removed. Developers who relied on the previous behavior can opt back in explicitly via the existing headers option in angular.json:

"serve": {
  "options": {
    "headers": { "Access-Control-Allow-Origin": "*" }
  }
}

Alignment with the modern builder

The newer @angular/build dev-server (Vite-based) already does not set Access-Control-Allow-Origin by default. Its existing test contract asserts this explicitly in packages/angular/build/src/builders/dev-server/tests/options/headers_spec.ts:

it('should not include Access-Control-Allow-Origin header by default', async () => {
  harness.useTarget('serve', { ...BASE_OPTIONS });
  const { result, response } = await executeOnceAndFetch(harness, '/main.js');
  expect(result?.success).toBeTrue();
  expect(await response?.headers.has('access-control-allow-origin')).toBeFalse();
});

Changes

• packages/angular_devkit/build_angular/src/tools/webpack/configs/dev-server.ts — remove the unconditional 'Access-Control-Allow-Origin': '*' entry; pass user-provided headers through unchanged.
• packages/angular_devkit/build_angular/src/builders/dev-server/tests/options/headers_spec.ts — new test file mirroring the contract in @angular/build.

Does this PR introduce a breaking change?

• Yes
• No

Other information

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request removes the default 'Access-Control-Allow-Origin: *' header from the Webpack dev-server configuration, allowing headers to be fully controlled by the user's configuration. It also introduces a comprehensive set of unit tests to verify that custom headers are correctly applied and that the default CORS header is no longer present unless explicitly configured.