Closed
Bug 1502904
Opened 7 years ago
Closed 7 years ago
Fetch API adds “origin” header to same-origin GET request
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1444278
People
(Reporter: sime.vidas, Assigned: jkt)
References
Details
Attachments
(1 file)
|
931 bytes,
patch
|
baku
:
feedback-
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Steps to reproduce:
1. Open https://github.com (it doesn’t matter if you’re not logged in)
2. Open the console in Firefox Developer Tools
3. Execute `fetch('/dashboard/recent-activity')`
4. Switch to the Network panel and check the request headers of the resulting fetch request
Actual results:
Among the request headers, there will be “origin: https://github.com.”
Expected results:
This header should not be included (it’s not added in Chrome, Safari, Edge) since the request is a same-origin GET request.
Relevant spec section: https://fetch.spec.whatwg.org/#origin-header
This interop issue is not negligible. I have encountered a scenario on my website where adding the “origin” header caused the response to be an outdated version of the requested file. I’m still not sure what exactly happened here, but I *can* confirm that the issue was caused by the “origin” header, since it didn’t occur when I would remove this header and re-send the request.
|
Assignee | |
Comment 1•7 years ago
|
||
> copy->mForceOriginHeader = true;
It looks like that should be something like:
copy->mForceOriginHeader = mMode == RequestMode::Cors || (mMethod != "GET" && mMethod != "HEAD");
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Priority: -- → P2
Product: Firefox → Core
|
|
Assignee | |
Comment 2•7 years ago
|
||
:baku I see a few other places that we explicitly set the mForceOriginHeader to be false:
https://searchfox.org/mozilla-central/search?q=mForceOriginHeader&case=false®exp=false&path=
If those should be handled in the same manner, instead should I just modify the getter method to do the checks instead?
https://searchfox.org/mozilla-central/rev/8848b9741fc4ee4e9bc3ae83ea0fc048da39979f/dom/fetch/InternalRequest.h#456
Assignee: nobody → jkt
Attachment #9020819 -
Flags: feedback?(amarchesini)
|
||
Comment 3•7 years ago
|
||
> :baku I see a few other places that we explicitly set the mForceOriginHeader
> to be false:
I would remove mForceOriginHeader and ForceOriginHeader() completely.
> https://searchfox.org/mozilla-central/rev/
> 8848b9741fc4ee4e9bc3ae83ea0fc048da39979f/dom/fetch/InternalRequest.h#456
here I would add your: mMode == RequestMode::Cors || (mMethod != "GET" && mMethod != "HEAD");
|
|
||
Updated•7 years ago
|
Attachment #9020819 -
Flags: feedback?(amarchesini) → feedback-
|
|
Assignee | |
Comment 4•7 years ago
|
||
Looks like we have wpt tests for this: /fetch/api/redirect/redirect-origin.any.html that we are failing.
Odly for requests made by the console the mMode is RequestMode::Cors.
Pushing to try without checking for this: https://treeherder.mozilla.org/#/jobs?repo=try&revision=99b7200a5b0c0b855c35b63d467207221ca38766
|
||
Comment 5•7 years ago
|
||
(In reply to Jonathan Kingston [:jkt] from comment #4)
> Looks like we have wpt tests for this:
> /fetch/api/redirect/redirect-origin.any.html that we are failing.
>
> Odly for requests made by the console the mMode is RequestMode::Cors.
>
> Pushing to try without checking for this:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=99b7200a5b0c0b855c35b63d467207221ca38766
I would prefer to do this in bug 1444278 and update the wpt test there
|
|
Assignee | |
Comment 6•7 years ago
|
||
Thomas should we mark this as duplicate then? Are you going to handle all of the issues in the other bug?
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•7 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•