From 400937fea38d218677a6cef9c79b43d994e256c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jordi=20Guti=C3=A9rrez=20Hermoso?= Date: Wed, 10 Apr 2024 14:24:39 -0400 Subject: [PATCH] uploads: do not use Origin header in `fetchDoc` The `Origin` header is produced by `getTransitiveHeaders` but we don't need it here, as this is only for an internal request where no cross-origin attacks are possible. --- app/server/lib/uploads.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/app/server/lib/uploads.ts b/app/server/lib/uploads.ts index a3eb45823d..f4170da24e 100644 --- a/app/server/lib/uploads.ts +++ b/app/server/lib/uploads.ts @@ -409,6 +409,12 @@ export async function fetchDoc(server: GristServer, docId: string, req: Request, // Prepare headers that preserve credentials of current user. const headers = getTransitiveHeaders(req); + // Passing the Origin header would serve no purpose here, as we are + // constructing an internal request to fetch from our own doc worker + // URL. Indeed, it may interfere, as it could incur a CORS check in + // `trustOrigin`, which we do not need. + delete headers.Origin; + // Find the doc worker responsible for the document we wish to copy. // The backend needs to be well configured for this to work. const homeUrl = server.getHomeUrl(req);