fix: ensure that Origin header is rewritten as necessary #4812
Conversation
🦋 Changeset detectedLatest commit: 0337596 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
A wrangler prerelease is available for testing. You can install this latest build in your project with: npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7631624262/npm-package-wrangler-4812You can reference the automatically updated head of this PR with: npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/4812/npm-package-wrangler-4812Or you can use npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7631624262/npm-package-wrangler-4812 dev path/to/script.jsAdditional artifacts:npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7631624262/npm-package-create-cloudflare-4812 --no-auto-updatenpm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7631624262/npm-package-miniflare-4812npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7631624262/npm-package-cloudflare-pages-shared-4812Note that these links will no longer work once the GitHub Actions artifact expires.
Please ensure constraints are pinned, and |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4812 +/- ##
==========================================
+ Coverage 70.56% 70.63% +0.06%
==========================================
Files 290 290
Lines 15089 15089
Branches 3828 3828
==========================================
+ Hits 10648 10658 +10
+ Misses 4441 4431 -10 |
| request.headers.set("Host", url.host); | ||
| // Only rewrite Origin header if there is already one | ||
| if (request.headers.has("Origin")) { | ||
| request.headers.set('Origin', url.origin); |
There was a problem hiding this comment.
Ooo this should be " instead of '. I guess we're not running miniflare's linting checks in CI?
There was a problem hiding this comment.
It is purposefully ignored -
Line 38 in 93e88c4
There was a problem hiding this comment.
I'll fix up that formatting. But we should probably bring miniflare into the fold with the same prettier settings as the rest of the mono-repo. As far as I can tell the only difference is trailing commas.
There was a problem hiding this comment.
I think the other difference is that Miniflare uses Prettier 3, whereas the rest use Prettier 2.
There was a problem hiding this comment.
I was basing it off of removing the prettier ignore and running the formatting fix up command at the root.
petebacondarwin
force-pushed
the
pbacondarwin/fix-origin-header
branch
from
0de1e16 to
5f907e2
Compare
The `wrangler dev` command puts the Worker under test behind a proxy server. This proxy server should be transparent to the client and the Worker, which means that the `Request` arriving at the Worker with the correct `url` property, and `Host` and `Origin` headers. Previously we fixed the `Host` header but missed the `Origin` header which is only added to a request under certain circumstances, such as cross-origin requests. This change fixes the `Origin` header as well, so that it is rewritten, when it exists, to use the `origin` of the `url` property. Fixes #4761
petebacondarwin
force-pushed
the
pbacondarwin/fix-origin-header
branch
from
7f2f623 to
0337596
Compare
|
Hey @petebacondarwin and @mrbbot, I have a question regarding this PR and would be very grateful if you could clarify it for me 🙂 I am building an application that has a React frontend making requests to Cloudflare workers. Whenever any request is sent, the After looking at this PR, I noticed that the Origin header is being set in the following lines: if (rewriteHeadersFromOriginalUrl) {
request.headers.set("Host", url.host);
// Only rewrite Origin header if there is already one
if (request.headers.has("Origin")) {
request.headers.set("Origin", url.origin);
}
}I'm having trouble figuring out why the Origin header needs to be set to the request url, and not to its original value ( |
|
@afonsocrg - happy to try to help. Can you confirm what version of Wrangler you are using, and exactly what your setup is here? It seems from what you are saying that you are running |
|
@petebacondarwin thanks for the fast reply!! This behavior happens only in versions 3.25 and 3.26. The worker was running using The React app is running on I expected the headers to be the same as the ones sent by the browser, so that the wrangler layer is transparent to the worker |
|
How does the request get to the Worker if it is running at localhost:8787 and the browser is making a request to locahost:5173? |
|
Sorry, the frontend is running at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin |
|
This stuff is so confusing but here is my take on how this should work.
So as I understand it, if you have a web page hosted at With that in mind, you might be right that something in our implementation is a bit off in our implementation of this fix, since we are reconstructing the Origin header from the request url origin, rather than the referring URL... |
In #4812 we tried to fix the Origin headers to match the Host header but were overzealous and rewrote Origin headers for external origins (outside of the proxy server's origin). This is now fixed, and moreover we rewrite any headers that refer to the proxy server on the request with the configured host and vice versa on the response. This should ensure that CORS is not broken in browsers when a different host is being simulated based on routes in the Wrangler configuration.
In #4812 we tried to fix the Origin headers to match the Host header but were overzealous and rewrote Origin headers for external origins (outside of the proxy server's origin). This is now fixed, and moreover we rewrite any headers that refer to the proxy server on the request with the configured host and vice versa on the response. This should ensure that CORS is not broken in browsers when a different host is being simulated based on routes in the Wrangler configuration.
In #4812 we tried to fix the Origin headers to match the Host header but were overzealous and rewrote Origin headers for external origins (outside of the proxy server's origin). This is now fixed, and moreover we rewrite any headers that refer to the proxy server on the request with the configured host and vice versa on the response. This should ensure that CORS is not broken in browsers when a different host is being simulated based on routes in the Wrangler configuration.
…#4950) fix: ensure we do not rewrite external Origin headers in wrangler dev In #4812 we tried to fix the Origin headers to match the Host header but were overzealous and rewrote Origin headers for external origins (outside of the proxy server's origin). This is now fixed, and moreover we rewrite any headers that refer to the proxy server on the request with the configured host and vice versa on the response. This should ensure that CORS is not broken in browsers when a different host is being simulated based on routes in the Wrangler configuration.
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [wrangler](https://togithub.com/cloudflare/workers-sdk) ([source](https://togithub.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler)) | [`3.28.1` -> `3.28.2`](https://renovatebot.com/diffs/npm/wrangler/3.28.1/3.28.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>cloudflare/workers-sdk (wrangler)</summary> ### [`v3.28.2`](https://togithub.com/cloudflare/workers-sdk/blob/HEAD/packages/wrangler/CHANGELOG.md#3282) [Compare Source](https://togithub.com/cloudflare/workers-sdk/compare/wrangler@3.28.1...wrangler@3.28.2) ##### Patch Changes - [#​4950](https://togithub.com/cloudflare/workers-sdk/pull/4950) [`05360e43`](https://togithub.com/cloudflare/workers-sdk/commit/05360e432bff922def960e86690232c762fad284) Thanks [@​petebacondarwin](https://togithub.com/petebacondarwin)! - fix: ensure we do not rewrite external Origin headers in wrangler dev In [https://github.com/cloudflare/workers-sdk/pull/4812](https://togithub.com/cloudflare/workers-sdk/pull/4812) we tried to fix the Origin headers to match the Host header but were overzealous and rewrote Origin headers for external origins (outside of the proxy server's origin). This is now fixed, and moreover we rewrite any headers that refer to the proxy server on the request with the configured host and vice versa on the response. This should ensure that CORS is not broken in browsers when a different host is being simulated based on routes in the Wrangler configuration. <!----> - [#​4997](https://togithub.com/cloudflare/workers-sdk/pull/4997) [`bfeefe27`](https://togithub.com/cloudflare/workers-sdk/commit/bfeefe275390491a7bb71f01550b3cb368d13320) Thanks [@​dario-piotrowicz](https://togithub.com/dario-piotrowicz)! - chore: add missing `defineNavigatorUserAgent` dependency to useEsbuild hook <!----> - [#​4966](https://togithub.com/cloudflare/workers-sdk/pull/4966) [`36692326`](https://togithub.com/cloudflare/workers-sdk/commit/366923264fe2643acee0761c849ad0dc3922ad6c) Thanks [@​penalosa](https://togithub.com/penalosa)! - fix: Report Custom Build failures as `UserError`s <!----> - [#​5002](https://togithub.com/cloudflare/workers-sdk/pull/5002) [`315a651b`](https://togithub.com/cloudflare/workers-sdk/commit/315a651b5742a614fd950c29b5dac5fdd2d1f270) Thanks [@​dario-piotrowicz](https://togithub.com/dario-piotrowicz)! - chore: rename `getBindingsProxy` to `getPlatformProxy` initially `getBindingsProxy` was supposed to only provide proxies for bindings, the utility has however grown, including now `cf`, `ctx` and `caches`, to clarify the increased scope the utility is getting renamed to `getPlatformProxy` and its `bindings` field is getting renamed `env` *note*: `getBindingProxy` with its signature is still kept available, making this a non breaking change - Updated dependencies \[[`05360e43`](https://togithub.com/cloudflare/workers-sdk/commit/05360e432bff922def960e86690232c762fad284)]: - miniflare@3.20240129.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Johannes-Andersen/Johannes). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
The
wrangler devcommand puts the Worker under test behind a proxy server. This proxy server should be transparent to the client and the Worker, which means that theRequestarriving at the Worker with the correcturlproperty, andHostandOriginheaders.Previously we fixed the
Hostheader but missed theOriginheader which is only added to a request under certain circumstances, such as cross-origin requests.What this PR solves / how to test:
This change fixes the
Originheader as well, so that it is rewritten, when it exists, to use theoriginof theurlproperty.A nice way to test this is to simply clone the reproduction from #4761 - https://github.com/Le0Developer/wrangler-host-header-repro, then replace the local Miniflare with the pre-release one from this PR.
Fixes #4761
Author has addressed the following: