diff --git a/app/server/lib/AppEndpoint.ts b/app/server/lib/AppEndpoint.ts index c38f6e0e..832f63fb 100644 --- a/app/server/lib/AppEndpoint.ts +++ b/app/server/lib/AppEndpoint.ts @@ -50,10 +50,8 @@ export function attachAppEndpoint(options: AttachOptions): void { sendAppPage(req, res, {path: 'apiconsole.html', status: 200, config: {}}))); app.get('/api/worker/:docId([^/]+)/?*', expressWrap(async (req, res) => { - // FIXME: To the reviewers: I moved these two lines at the top of the express handler. - // Is it OK? Seems rather safe to me. - res.header("Access-Control-Allow-Credentials", "true"); if (!trustOrigin(req, res)) { throw new Error('Unrecognized origin'); } + res.header("Access-Control-Allow-Credentials", "true"); const {selfPrefix, docWorker} = await getDocWorkerInfoOrSelfPrefix( req.params.docId, docWorkerMap, gristServer.getTag() diff --git a/app/server/lib/requestUtils.ts b/app/server/lib/requestUtils.ts index fae7ec71..94165405 100644 --- a/app/server/lib/requestUtils.ts +++ b/app/server/lib/requestUtils.ts @@ -87,7 +87,6 @@ export function trustOrigin(req: IncomingMessage, resp?: Response): boolean { // Note that the request origin is undefined for non-CORS requests. const origin = req.headers.origin; if (!origin) { return true; } // Not a CORS request. - if (!allowHost(req, new URL(origin))) { return false; } if (resp) { diff --git a/app/server/lib/uploads.ts b/app/server/lib/uploads.ts index dc9ccc55..08c35852 100644 --- a/app/server/lib/uploads.ts +++ b/app/server/lib/uploads.ts @@ -420,7 +420,7 @@ export async function fetchDoc( template: boolean ): Promise { // Prepare headers that preserve credentials of current user. - const headers = getTransitiveHeaders(req, { includeOrigin: false }); // NO EFFECT + const headers = getTransitiveHeaders(req, { includeOrigin: false }); // Find the doc worker responsible for the document we wish to copy. // The backend needs to be well configured for this to work.