uploads: do not use Origin header in fetchDoc

The `Origin` header is produced by `getTransitiveHeaders` but we don't
need it here, as this is only for an internal request where no
cross-origin attacks are possible.
This commit is contained in:
Jordi Gutiérrez Hermoso 2024-04-10 14:24:39 -04:00 committed by jordigh
parent 17ea97db78
commit 400937fea3

View File

@ -409,6 +409,12 @@ export async function fetchDoc(server: GristServer, docId: string, req: Request,
// Prepare headers that preserve credentials of current user. // Prepare headers that preserve credentials of current user.
const headers = getTransitiveHeaders(req); const headers = getTransitiveHeaders(req);
// Passing the Origin header would serve no purpose here, as we are
// constructing an internal request to fetch from our own doc worker
// URL. Indeed, it may interfere, as it could incur a CORS check in
// `trustOrigin`, which we do not need.
delete headers.Origin;
// Find the doc worker responsible for the document we wish to copy. // Find the doc worker responsible for the document we wish to copy.
// The backend needs to be well configured for this to work. // The backend needs to be well configured for this to work.
const homeUrl = server.getHomeUrl(req); const homeUrl = server.getHomeUrl(req);