From f90d3e5d582298736c8744966e4950fee5502d23 Mon Sep 17 00:00:00 2001 From: fflorent Date: Tue, 7 May 2024 10:41:08 +0200 Subject: [PATCH] Explain why we don't pass the Origin header in DocApiForwarder --- app/gen-server/lib/DocApiForwarder.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/gen-server/lib/DocApiForwarder.ts b/app/gen-server/lib/DocApiForwarder.ts index f63f217d..3545a63a 100644 --- a/app/gen-server/lib/DocApiForwarder.ts +++ b/app/gen-server/lib/DocApiForwarder.ts @@ -104,6 +104,10 @@ export class DocApiForwarder { url.pathname = removeTrailingSlash(docWorkerUrl.pathname) + url.pathname; const headers: {[key: string]: string} = { + // At this point, we have already checked and trusted the origin of the request. + // See FlexServer#addApiMiddleware(). So don't include the "Origin" header. + // Including this header also would break features like form submissions, + // as the "Host" header is not retrieved when calling getTransitiveHeaders(). ...getTransitiveHeaders(req, { includeOrigin: false }), 'Content-Type': req.get('Content-Type') || 'application/json', };