uploads: do not use Origin header in `fetchDoc`

The `Origin` header is produced by `getTransitiveHeaders` but we don't need it here, as this is only for an internal request where no cross-origin attacks are possible.
1 month ago · 400937fea3
parent 17ea97db78
commit 400937fea3
1 changed files with 6 additions and 0 deletions
--- a/app/server/lib/uploads.ts
+++ b/app/server/lib/uploads.ts
@ -409,6 +409,12 @@ export async function fetchDoc(server: GristServer, docId: string, req: Request,
  // Prepare headers that preserve credentials of current user.
  const headers = getTransitiveHeaders(req);

+  // Passing the Origin header would serve no purpose here, as we are
+  // constructing an internal request to fetch from our own doc worker
+  // URL. Indeed, it may interfere, as it could incur a CORS check in
+  // `trustOrigin`, which we do not need.
+  delete headers.Origin;
+
  // Find the doc worker responsible for the document we wish to copy.
  // The backend needs to be well configured for this to work.
  const homeUrl = server.getHomeUrl(req);