Skip to content

feat: allow http calls without origin header #1941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 16, 2024
Merged

feat: allow http calls without origin header #1941

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9dd6274
Allow http calls without origin header
Nipsuli Oct 14, 2024
5c3e8cd
Merge branch 'tauri-apps:v2' into allow-no-origin
Nipsuli Oct 15, 2024
5b4e2b6
add changes entry
Nipsuli Oct 16, 2024
943de57
Update .changes/http-allow-skip-origin.md
Nipsuli Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changes/http-allow-skip-origin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
"http": "patch"
"http-js": "patch"
---

Allow skipping sending Origin header in HTTP requests by sending empty string as the value for Origin header.
8 changes: 8 additions & 0 deletions plugins/http/src/commands.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,14 @@ pub async fn fetch<R: Runtime>(
}
}

// In case empty origin is passed, remove it. Some services do not like Origin header
// so this way we can remove it in explicit way. The default behaviour is still to set it
if cfg!(feature = "unsafe-headers")
&& headers.get(header::ORIGIN) == Some(&HeaderValue::from_static(""))
Copy link
Member

@amrbashir amrbashir Oct 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should match on an empty string, because there might be some users who want to send empty string for Origin. I'd rather add a new option when making the request, for example:

fetch(url, {
  sendOriginHeader: false
});

Copy link
Contributor Author

@Nipsuli Nipsuli Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is something I was thinking a lot. Like I'd like to avoid adding extra parameters to the fetch and try to keep the fetch as close to global fetch. And in case of patching global fetch with tauri-http (example to get control what fetches actually can be made) the consumers assume standard fetch. Different libraries support some pre/post hooks for different operations that allow example inject headers and such like for custom auth and they operate with the RequestInit object.

And the syntax of Origin header is:

Origin: null
Origin: <scheme>://<hostname>
Origin: <scheme>://<hostname>:<port>

MDN origin header
RFC 6454

Sending an empty string is invalid format. In case user wants to hide the origin for example privacy reasons they should set it to null string literal.

For these reasons I ended up with sending empty string in the origin header as the mechanism.

I hope my reasoning makes sense.

Copy link
Member

@amrbashir amrbashir Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was comparing with how node and deno runtimes behave and both allow setting Origin to an empty string. However your reasoning is quite valid and I think we should go with your approach until someone else asks for this specific behavior.

{
headers.remove(header::ORIGIN);
};

if let Some(data) = data {
request = request.body(data);
}
Expand Down
Loading