Skip to content

Comments

fix(proxy): replace changeOrigin changes in 5.3.0 with new rewriteWsOrigin option#17563

Merged
bluwy merged 4 commits intovitejs:mainfrom
johnhunter:issue-17562
Jul 2, 2024
Merged

fix(proxy): replace changeOrigin changes in 5.3.0 with new rewriteWsOrigin option#17563
bluwy merged 4 commits intovitejs:mainfrom
johnhunter:issue-17562

Conversation

@johnhunter
Copy link
Contributor

@johnhunter johnhunter commented Jun 25, 2024
edited
Loading

Description

fixes #17562
fixes #17520

This PR reverts the change to the changeOrigin option released in 5.3.0 and adds an alternative solution:

  • A new rewriteWsOrigin option which rewrites the Origin header for WebSocket requests only
  • Check for headersSent prior to rewriting, logging a warning if it does not rewrite
  • Update docs for new option and warns about the security implications

@johnhunterarenko
Address issue 17562
f6b370c 
- Revert changeOrigin behaviour
- Introduce rewriteWsOrigin option
- Only use rewriteWsOrigin in ws requests
- Update docs
@johnhunterarenko
Address issue 17520
c22faed 
- Check for headersSent before rewriting Origin
- Log warning if fails
@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Jun 25, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@johnhunter johnhunter changed the title fix(proxy): Replace changeOrigin changes in 5.3.0 with new rewriteWsOrigin option fix(proxy): replace changeOrigin changes in 5.3.0 with new rewriteWsOrigin option Jun 25, 2024
@johnhunter johnhunter mentioned this pull request Jun 25, 2024
Merged
@pfdgithub
Copy link

pfdgithub commented Jun 27, 2024

Maybe a rewriteHttpOrigin option should be added as well?

bluwy
bluwy reviewed Jun 27, 2024
View reviewed changes
@bluwy bluwy added p4-important Violate documented behavior or significantly improves performance (priority) regression The issue only appears after a new release labels Jun 27, 2024
@johnhunter
Copy link
Contributor Author

johnhunter commented Jun 27, 2024

Maybe a rewriteHttpOrigin option should be added as well?

I haven't seen a use case for that yet, and given rewriting the Origin has security implications I'd prefer to not implement. If a need arises later we could revisit it.

@pfdgithub
Copy link

pfdgithub commented Jun 28, 2024
edited
Loading

Maybe a rewriteHttpOrigin option should be added as well?

I haven't seen a use case for that yet, and given rewriting the Origin has security implications I'd prefer to not implement. If a need arises later we could revisit it.

I have seen this use case:
Proxying to grafana server, i need to specify the Origin option in the headers.

Due to the diversity in HTTP implementation, compared to WebSocket, HTTP has more use cases where Origin checking is necessary.

bluwy
bluwy approved these changes Jun 28, 2024
View reviewed changes
Copy link
Member

@bluwy bluwy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Would also like @sapphi-red's eye on this in case I miss something

@pfdgithub I'm leaning towards fixing the regression first and we could revisit if we need rewriteHttpOrigin later. Since this introduces a new option, we'd need the team's opinion on this first, and introducing 2 new options may be more complicated.

@pfdgithub
Copy link

pfdgithub commented Jun 28, 2024

LGTM. Would also like @sapphi-red's eye on this in case I miss something

@pfdgithub I'm leaning towards fixing the regression first and we could revisit if we need rewriteHttpOrigin later. Since this introduces a new option, we'd need the team's opinion on this first, and introducing 2 new options may be more complicated.

The 'rewriteHttpOrigin' option is not required, there are other ways to implement it.
Thank you for your work and all the best.

sapphi-red
sapphi-red approved these changes Jun 29, 2024
View reviewed changes
Copy link
Member

@sapphi-red sapphi-red left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the PR!

Re rewriteHttpOrigin, I think we should have it if we have rewriteWsOrigin for consistency. (I'm fine with doing that in a separate PR)

@bluwy bluwy merged commit 14c3d49 into vitejs:main Jul 2, 2024
@bailicangdu bailicangdu mentioned this pull request Jul 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bluwy bluwy bluwy approved these changes

@sapphi-red sapphi-red sapphi-red approved these changes

Assignees

No one assigned

Labels

p4-important Violate documented behavior or significantly improves performance (priority) regression The issue only appears after a new release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5.3.0: Proxy should not rewrite the Origin header for non WS requests ERR_HTTP_HEADERS_SENT with 5.3.0 / 5.3.1 and https-proxy-agent configured

5 participants

@johnhunter @pfdgithub @bluwy @sapphi-red @johnhunterarenko