uploads: do not use Origin header in fetchDoc

The `Origin` header is produced by `getTransitiveHeaders` but we don't need it here, as this is only for an internal request where no cross-origin attacks are possible.
gristlabs · Apr 10, 2024 · 400937f · 400937f
1 parent 17ea97d
commit 400937f
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/app/server/lib/uploads.ts b/app/server/lib/uploads.ts
@@ -409,6 +409,12 @@ export async function fetchDoc(server: GristServer, docId: string, req: Request,
   // Prepare headers that preserve credentials of current user.
   const headers = getTransitiveHeaders(req);
 
+  // Passing the Origin header would serve no purpose here, as we are
+  // constructing an internal request to fetch from our own doc worker
+  // URL. Indeed, it may interfere, as it could incur a CORS check in
+  // `trustOrigin`, which we do not need.
+  delete headers.Origin;
+
   // Find the doc worker responsible for the document we wish to copy.
   // The backend needs to be well configured for this to work.
   const homeUrl = server.getHomeUrl(req);