PR remarks

app/server/lib/AppEndpoint.ts

@@ -50,10 +50,8 @@ export function attachAppEndpoint(options: AttachOptions): void {
     sendAppPage(req, res, {path: 'apiconsole.html', status: 200, config: {}})));
 
   app.get('/api/worker/:docId([^/]+)/?*', expressWrap(async (req, res) => {
-    // FIXME: To the reviewers: I moved these two lines at the top of the express handler.
-    // Is it OK? Seems rather safe to me.
-    res.header("Access-Control-Allow-Credentials", "true");
     if (!trustOrigin(req, res)) { throw new Error('Unrecognized origin'); }
+    res.header("Access-Control-Allow-Credentials", "true");
 
     const {selfPrefix, docWorker} = await getDocWorkerInfoOrSelfPrefix(
       req.params.docId, docWorkerMap, gristServer.getTag()

app/server/lib/requestUtils.ts

@@ -87,7 +87,6 @@ export function trustOrigin(req: IncomingMessage, resp?: Response): boolean {
   // Note that the request origin is undefined for non-CORS requests.
   const origin = req.headers.origin;
   if (!origin) { return true; } // Not a CORS request.
-
   if (!allowHost(req, new URL(origin))) { return false; }
 
   if (resp) {

app/server/lib/uploads.ts

@@ -420,7 +420,7 @@ export async function fetchDoc(
   template: boolean
 ): Promise<UploadResult> {
   // Prepare headers that preserve credentials of current user.
-  const headers = getTransitiveHeaders(req, { includeOrigin: false }); // NO EFFECT
+  const headers = getTransitiveHeaders(req, { includeOrigin: false });
 
   // Find the doc worker responsible for the document we wish to copy.
   // The backend needs to be well configured for this to work.