disallow automatic validation of ALL IP's. fixes webpack#1618

for both Host checking and Origin checking

Author: Carlos Requena López

lib/Server.js

@@ -647,6 +647,10 @@ Server.prototype.setContentHeaders = function (req, res, next) {
 };
 
 Server.prototype.checkHost = function (headers, headerToCheck) {
+  /* This routine is also used to check the Origin header, whenever
+   * headerToCheck says so
+   */
+
   // allow user to opt-out this security check, at own risk
   if (this.disableHostCheck) {
     return true;
@@ -668,15 +672,6 @@ Server.prototype.checkHost = function (headers, headerToCheck) {
     false,
     true
   ).hostname;
-  // always allow requests with explicit IPv4 or IPv6-address.
-  // A note on IPv6 addresses:
-  // hostHeader will always contain the brackets denoting
-  // an IPv6-address in URLs,
-  // these are removed from the hostname in url.parse(),
-  // so we have the pure IPv6-address in hostname.
-  if (ip.isV4Format(hostname) || ip.isV6Format(hostname)) {
-    return true;
-  }
   // always allow localhost host, for convience
   if (hostname === 'localhost') {
     return true;