Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.3.0: Proxy should not rewrite the Origin header for non WS requests #17562

Closed
7 tasks done
johnhunter opened this issue Jun 25, 2024 · 1 comment · Fixed by #17563
Closed
7 tasks done

5.3.0: Proxy should not rewrite the Origin header for non WS requests #17562

johnhunter opened this issue Jun 25, 2024 · 1 comment · Fixed by #17563
Labels
pending triage regression The issue only appears after a new release

Comments

@johnhunter
Copy link
Contributor

Describe the bug

Originally reported on PR #16558 (comment)

This has broken my app's proxying behavior for the reasons you suspected above.

I am not using WS but I need my host header rewritten without my origin header rewritten, or else my CI fails.

Origin vs. Host Headers: The Key Difference

Host:

Tells the server which website/application is being requested.
Used for virtual hosting (multiple sites on one IP address).
Modified by the proxy when changeOrigin: true to match the target backend.

Origin:

Indicates the origin (protocol, domain, port) where the request initiated.
Primarily used for Cross-Origin Resource Sharing (CORS) security.
Not typically modified by proxies, even with changeOrigin: true. This is a browser security mechanism.

This change seems to leave the proxying open to CSRF attacks.

Perhaps it is wanted in a WS context, but I need a way to turn off the origin reassignment.

I'd prefer to have two options (as mentioned above) if you really need to maintain this behavior... rewriteHost and rewriteOrigin, with a warning on the latter

Reproduction

Not available

Steps to reproduce

No response

System Info

Not available

Used Package Manager

npm

Logs

No response

Validations
@johnhunter
Copy link
Contributor Author

Thanks for the response and explanation @tryforceful. I think the best approach is to:

  • revert the changeOrigin behaviour to the original
  • add a new option rewriteWsOrigin that rewrites the Origin header for ws requests only

This was referenced Jun 25, 2024
Closed
Merged
@bluwy bluwy added the regression The issue only appears after a new release label Jun 27, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Jul 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
pending triage regression The issue only appears after a new release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(proxy): replace changeOrigin changes in 5.3.0 with new rewriteWsOrigin option johnhunter/vite
2 participants
@johnhunter @bluwy