fix(security): backport dev client access check from v5.2.1 using trusted header

Author: Wajih-Ul-Hasan

lib/Server.js

@@ -1,7 +1,8 @@
 "use strict";
 
-function isChromiumBased(userAgentHeader) {
-  return Boolean(userAgentHeader && userAgentHeader.includes('Chrome'));
+function isTrustedClient(req) {
+  // Only allow injection if client explicitly identifies itself
+  return req.headers["webpack-dev-server-client"] === "true";
 }
 
 const os = require("os");
@@ -2108,8 +2109,9 @@ class Server {
         (middleware).waitUntilValid((stats) => {
           res.setHeader("Content-Type", "text/html");
 
-          if (!isChromiumBased(req.headers['user-agent'])) {
-            res.end('<!DOCTYPE html><html><body><h2>Access blocked: Please use a Chromium-based browser (Chrome, Edge, etc.).</h2></body></html>');
+          if (!isTrustedClient(req)) {
+            res.statusCode = 403;
+            res.end("Access denied: Missing required dev server client header.");
             return;
           }