Origin header is missing on request in fetch event

[jurijzahn8019]

Hi there,

I have managed to run my js app with winterjs.

I have a csrf Middleware which evaluates request origin header. And I discovered that the header is always undefined.

I added a log statement right away in the event handler to verify it not my request pipeline, and yes header is missing.

Do I miss something?

Thank you in advance and you make a great job!

[syrusakbary]

Good call! This looks like a bug
@Arshia001 will work on it soon!

[Arshia001]

@jurijzahn8019 thanks for reporting this!

If my understanding is correct, browsers set the Origin header to the domain name of the page that's currently loaded and caused the fetch call. Since WinterJS is running outside the browser, there is no domain name that can be placed in the Origin header. However, you can always add the header manually (which is normally impossible in browsers AFAIK) like so:

let request = new Request('https://foo.bar');
request.headers.append('Origin', 'https://baz.me');

[jurijzahn8019]

Hi, thanks, what I mean, is that the header is not present in the event request at all.

[Arshia001]

Are you referring to FetchEvent.request.headers? I believe we pass request headers to JS code exactly as they are received, so if the header was present when the request was made, it should arrive at the JS event handler. I'll try to reproduce this issue.

[jurijzahn8019]

Yeah, I have used wasmer btw. Maybe this may be the issue. I don't know.

[Arshia001]

You're actually right, the origin header does get removed from the request. I'll investigate.