fix(playground-preview-worker,edge-preview-authenticated-proxy): ensure no body is passed when constructing a GET or HEAD request to the preview worker (#7793)

Author: edmundhung

.changeset/clean-sheep-promise.md

@@ -0,0 +1,6 @@
+---
+"edge-preview-authenticated-proxy": patch
+"playground-preview-worker": patch
+---
+
+fix: ensure no body is passed when constructing a GET or HEAD request to the preview worker

packages/edge-preview-authenticated-proxy/src/index.ts

@@ -230,14 +230,12 @@ async function handleRawHttp(request: Request, url: URL) {
 		}
 	}
 
-	const workerResponse = await fetch(
-		switchRemote(url, remote),
-		new Request(request, {
-			method,
-			headers: requestHeaders,
-			redirect: "manual",
-		})
-	);
+	const workerResponse = await fetch(switchRemote(url, remote), {
+		method,
+		headers: requestHeaders,
+		body: method === "GET" || method === "HEAD" ? null : request.body,
+		redirect: "manual",
+	});
 
 	const responseHeaders = new Headers(workerResponse.headers);
 

packages/edge-preview-authenticated-proxy/tests/index.test.ts

@@ -335,7 +335,9 @@ describe("Raw HTTP preview", () => {
 							return Response.redirect("https://example.com", 302)
 						}
 						if(url.pathname === "/method") {
-							return new Response(request.method)
+							return new Response(request.method, {
+								headers: { "Test-Http-Method": request.method },
+							})
 						}
 						if(url.pathname === "/status") {
 							return new Response(407)
@@ -487,6 +489,30 @@ compatibility_date = "2023-01-01"
 		expect(await resp.text()).toEqual("PUT");
 	});
 
+	it.each(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"])(
+		"should support %s method specified on the X-CF-Http-Method header",
+		async (method) => {
+			const token = randomBytes(4096).toString("hex");
+			const resp = await worker.fetch(
+				`https://0000.rawhttp.devprod.cloudflare.dev/method`,
+				{
+					method: "POST",
+					headers: {
+						origin: "https://cloudflare.dev",
+						"X-CF-Token": token,
+						"X-CF-Remote": `http://127.0.0.1:${remote.port}`,
+						"X-CF-Http-Method": method,
+					},
+				}
+			);
+
+			// HEAD request does not return any body. So we will confirm by asserting the response header
+			expect(await resp.text()).toEqual(method === "HEAD" ? "" : method);
+			// Header from the client response will be prefixed with "cf-ew-raw-"
+			expect(resp.headers.get("cf-ew-raw-Test-Http-Method")).toEqual(method);
+		}
+	);
+
 	it("should fallback to the request method if the X-CF-Http-Method header is missing", async () => {
 		const token = randomBytes(4096).toString("hex");
 		const resp = await worker.fetch(

packages/playground-preview-worker/src/index.ts

@@ -79,17 +79,14 @@ async function handleRawHttp(request: Request, url: URL, env: Env) {
 		}
 	}
 
-	const workerResponse = await userObject.fetch(
-		url,
-		new Request(request, {
-			method,
-			headers: {
-				...Object.fromEntries(headers),
-				"cf-run-user-worker": "true",
-			},
-			redirect: "manual",
-		})
-	);
+	headers.append("cf-run-user-worker", "true");
+
+	const workerResponse = await userObject.fetch(url, {
+		method,
+		headers,
+		body: method === "GET" || method === "HEAD" ? null : request.body,
+		redirect: "manual",
+	});
 
 	const responseHeaders = new Headers(workerResponse.headers);
 

packages/playground-preview-worker/tests/index.test.ts

@@ -24,7 +24,9 @@ export default {
 			return Response.redirect("https://example.com", 302)
 		}
 		if(url.pathname === "/method") {
-			return new Response(request.method)
+			return new Response(request.method, {
+				headers: { "Test-Http-Method": request.method },
+			})
 		}
 		if(url.pathname === "/status") {
 			return new Response(407)
@@ -257,6 +259,25 @@ describe("Preview Worker", () => {
 
 		expect(await resp.text()).toEqual("PUT");
 	});
+	it.each(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"])(
+		"should handle %s method specified on the X-CF-Http-Method header",
+		async (method) => {
+			const resp = await fetch(`${PREVIEW_REMOTE}/method`, {
+				method: "POST",
+				headers: {
+					"X-CF-Token": defaultUserToken,
+					"X-CF-Http-Method": method,
+					"CF-Raw-HTTP": "true",
+				},
+				redirect: "manual",
+			});
+
+			// HEAD request does not return any body. So we will confirm by asserting the response header
+			expect(await resp.text()).toEqual(method === "HEAD" ? "" : method);
+			// Header from the client response will be prefixed with "cf-ew-raw-"
+			expect(resp.headers.get("cf-ew-raw-Test-Http-Method")).toEqual(method);
+		}
+	);
 	it("should fallback to the request method if the X-CF-Http-Method header is missing", async () => {
 		const resp = await fetch(`${PREVIEW_REMOTE}/method`, {
 			method: "PUT",