mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
uploads: do not use Origin header in fetchDoc
The `Origin` header is produced by `getTransitiveHeaders` but we don't need it here, as this is only for an internal request where no cross-origin attacks are possible.
This commit is contained in:
parent
17ea97db78
commit
400937fea3
@ -409,6 +409,12 @@ export async function fetchDoc(server: GristServer, docId: string, req: Request,
|
|||||||
// Prepare headers that preserve credentials of current user.
|
// Prepare headers that preserve credentials of current user.
|
||||||
const headers = getTransitiveHeaders(req);
|
const headers = getTransitiveHeaders(req);
|
||||||
|
|
||||||
|
// Passing the Origin header would serve no purpose here, as we are
|
||||||
|
// constructing an internal request to fetch from our own doc worker
|
||||||
|
// URL. Indeed, it may interfere, as it could incur a CORS check in
|
||||||
|
// `trustOrigin`, which we do not need.
|
||||||
|
delete headers.Origin;
|
||||||
|
|
||||||
// Find the doc worker responsible for the document we wish to copy.
|
// Find the doc worker responsible for the document we wish to copy.
|
||||||
// The backend needs to be well configured for this to work.
|
// The backend needs to be well configured for this to work.
|
||||||
const homeUrl = server.getHomeUrl(req);
|
const homeUrl = server.getHomeUrl(req);
|
||||||
|
Loading…
Reference in New Issue
Block a user