Closed
Bug 1502904
Opened 6 years ago
Closed 6 years ago
Fetch API adds “origin” header to same-origin GET request
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1444278
People
(Reporter: sime.vidas, Assigned: jkt)
References
Details
Attachments
(1 file)
931 bytes,
patch
|
baku
:
feedback-
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0 Steps to reproduce: 1. Open https://github.com (it doesn’t matter if you’re not logged in) 2. Open the console in Firefox Developer Tools 3. Execute `fetch('/dashboard/recent-activity')` 4. Switch to the Network panel and check the request headers of the resulting fetch request Actual results: Among the request headers, there will be “origin: https://github.com.” Expected results: This header should not be included (it’s not added in Chrome, Safari, Edge) since the request is a same-origin GET request. Relevant spec section: https://fetch.spec.whatwg.org/#origin-header This interop issue is not negligible. I have encountered a scenario on my website where adding the “origin” header caused the response to be an outdated version of the requested file. I’m still not sure what exactly happened here, but I *can* confirm that the issue was caused by the “origin” header, since it didn’t occur when I would remove this header and re-send the request.
Assignee | ||
Comment 1•6 years ago
|
||
> copy->mForceOriginHeader = true;
It looks like that should be something like:
copy->mForceOriginHeader = mMode == RequestMode::Cors || (mMethod != "GET" && mMethod != "HEAD");
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Priority: -- → P2
Product: Firefox → Core
Assignee | ||
Comment 2•6 years ago
|
||
:baku I see a few other places that we explicitly set the mForceOriginHeader to be false: https://searchfox.org/mozilla-central/search?q=mForceOriginHeader&case=false®exp=false&path= If those should be handled in the same manner, instead should I just modify the getter method to do the checks instead? https://searchfox.org/mozilla-central/rev/8848b9741fc4ee4e9bc3ae83ea0fc048da39979f/dom/fetch/InternalRequest.h#456
Assignee: nobody → jkt
Attachment #9020819 -
Flags: feedback?(amarchesini)
Comment 3•6 years ago
|
||
> :baku I see a few other places that we explicitly set the mForceOriginHeader > to be false: I would remove mForceOriginHeader and ForceOriginHeader() completely. > https://searchfox.org/mozilla-central/rev/ > 8848b9741fc4ee4e9bc3ae83ea0fc048da39979f/dom/fetch/InternalRequest.h#456 here I would add your: mMode == RequestMode::Cors || (mMethod != "GET" && mMethod != "HEAD");
Updated•6 years ago
|
Attachment #9020819 -
Flags: feedback?(amarchesini) → feedback-
Assignee | ||
Comment 4•6 years ago
|
||
Looks like we have wpt tests for this: /fetch/api/redirect/redirect-origin.any.html that we are failing. Odly for requests made by the console the mMode is RequestMode::Cors. Pushing to try without checking for this: https://treeherder.mozilla.org/#/jobs?repo=try&revision=99b7200a5b0c0b855c35b63d467207221ca38766
Comment 5•6 years ago
|
||
(In reply to Jonathan Kingston [:jkt] from comment #4) > Looks like we have wpt tests for this: > /fetch/api/redirect/redirect-origin.any.html that we are failing. > > Odly for requests made by the console the mMode is RequestMode::Cors. > > Pushing to try without checking for this: > https://treeherder.mozilla.org/#/ > jobs?repo=try&revision=99b7200a5b0c0b855c35b63d467207221ca38766 I would prefer to do this in bug 1444278 and update the wpt test there
Assignee | ||
Comment 6•6 years ago
|
||
Thomas should we mark this as duplicate then? Are you going to handle all of the issues in the other bug?
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•