Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't pass origin as an HTTP header #2250

Merged
merged 1 commit into from
Oct 3, 2017
Merged

Don't pass origin as an HTTP header #2250

merged 1 commit into from
Oct 3, 2017

Conversation

interfect
Copy link
Contributor

Fixes #1779.

That issue seems to be caused by MetaMask demanding to send the x-metamask-origin header, and Ethereum nodes responding with CORS responses that disallow that header. I posted a Wireshark dump in #1779 that illustrates the problem.

This is a different fix than #2138. In particular, this fix is compatible with the "Custom RPC" option; in general the extension needs to be able to make requests against arbitrary user-submitted Ethereum nodes, and they can't all be put in the manifest to be exempted from proper CORS checking.

On the other hand, this fix just removes the x-metamask-origin header, which presumably was added for a reason. However, since apparently neither Infura nor Parity send CORS responses allowing this header, I don't think it's really tenable to have MetaMask try and send it. If it's really needed for Infura, it should be sent only when Infura is the node provider, until non-Infura nodes can tolerate it.

@interfect
Don't pass origin as an HTTP header
8cc8fec 
Requests with this nonstandard header are being blocked by CORS when
made against Parity.

Not sending it ought to fix MetaMask#1779.
@interfect
Copy link
Contributor Author

@kumavis Can you speak to why you added this header? Does it make sense to remove it?

@interfect interfect mentioned this pull request Oct 2, 2017
Closed
@kumavis
Copy link
Member

kumavis commented Oct 2, 2017

@interfect the header is mostly added as a debugging mechanism, to track what dapp is making the rpc request. We also use it to yell at dapp devs when they are spamming the hell out of our network.

I agree this header does not need to be set in all cases - will look into setting it only under infura config.

frankiebee
frankiebee reviewed Oct 3, 2017
View reviewed changes
Copy link
Contributor

@frankiebee frankiebee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@frankiebee frankiebee merged commit 948a0b1 into MetaMask:master Oct 3, 2017
@bdresser bdresser mentioned this pull request Jul 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frankiebee frankiebee frankiebee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@interfect @kumavis @frankiebee