Closed Bug 1502904 Opened 6 years ago Closed 6 years ago

Fetch API adds “origin” header to same-origin GET request

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Version:
65 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1444278

People

(Reporter: sime.vidas, Assigned: jkt)

References

Details

Attachments

(1 file)

bug-1502904.patch
931 bytes, patch
baku
: feedback-
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

1. Open https://github.com (it doesn’t matter if you’re not logged in)
2. Open the console in Firefox Developer Tools
3. Execute `fetch('/dashboard/recent-activity')`
4. Switch to the Network panel and check the request headers of the resulting fetch request


Actual results:

Among the request headers, there will be “origin: https://github.com.”


Expected results:

This header should not be included (it’s not added in Chrome, Safari, Edge) since the request is a same-origin GET request.

Relevant spec section: https://fetch.spec.whatwg.org/#origin-header

This interop issue is not negligible. I have encountered a scenario on my website where adding the “origin” header caused the response to be an outdated version of the requested file. I’m still not sure what exactly happened here, but I *can* confirm that the issue was caused by the “origin” header, since it didn’t occur when I would remove this header and re-send the request.
> copy->mForceOriginHeader = true;

It looks like that should be something like:

copy->mForceOriginHeader = mMode == RequestMode::Cors || (mMethod != "GET" && mMethod != "HEAD");
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Priority: -- → P2
Product: Firefox → Core
:baku I see a few other places that we explicitly set the mForceOriginHeader to be false:

https://searchfox.org/mozilla-central/search?q=mForceOriginHeader&case=false&regexp=false&path=


If those should be handled in the same manner, instead should I just modify the getter method to do the checks instead?

https://searchfox.org/mozilla-central/rev/8848b9741fc4ee4e9bc3ae83ea0fc048da39979f/dom/fetch/InternalRequest.h#456
Assignee: nobody → jkt
Attachment #9020819 - Flags: feedback?(amarchesini)
> :baku I see a few other places that we explicitly set the mForceOriginHeader
> to be false:

I would remove mForceOriginHeader and ForceOriginHeader() completely.

> https://searchfox.org/mozilla-central/rev/
> 8848b9741fc4ee4e9bc3ae83ea0fc048da39979f/dom/fetch/InternalRequest.h#456

here I would add your: mMode == RequestMode::Cors || (mMethod != "GET" && mMethod != "HEAD");
Attachment #9020819 - Flags: feedback?(amarchesini) → feedback-
Looks like we have wpt tests for this: /fetch/api/redirect/redirect-origin.any.html that we are failing.

Odly for requests made by the console the mMode is RequestMode::Cors.

Pushing to try without checking for this: https://treeherder.mozilla.org/#/jobs?repo=try&revision=99b7200a5b0c0b855c35b63d467207221ca38766
(In reply to Jonathan Kingston [:jkt] from comment #4)
> Looks like we have wpt tests for this:
> /fetch/api/redirect/redirect-origin.any.html that we are failing.
> 
> Odly for requests made by the console the mMode is RequestMode::Cors.
> 
> Pushing to try without checking for this:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=99b7200a5b0c0b855c35b63d467207221ca38766

I would prefer to do this in bug 1444278 and update the wpt test there
See Also: → 1444278
Thomas should we mark this as duplicate then? Are you going to handle all of the issues in the other bug?
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: