fix(http): remove unexpectedly changing origin header when unsafe-headers feature enabled #1703
Conversation
…ders feature enabled
|
The origin is automatically set, as requested in #1167, you can override this behavior by setting the origin using |
|
I think it's very confusing to make "automatically setting Origin header" behaviour be able to turn off by turning on another feature flag. For convenience, I wish that code gets removed. |
|
I don't mind having an option to disable setting the |
Package Changes Through 0e1fcb4There are 57 changes which include dialog with prerelease, dialog-js with prerelease, fs with prerelease, global-shortcut with prerelease, single-instance with prerelease, store with prerelease, authenticator with prerelease, autostart with prerelease, barcode-scanner with prerelease, biometric with prerelease, cli with prerelease, clipboard-manager with prerelease, deep-link with prerelease, http with prerelease, localhost with prerelease, log-plugin with prerelease, nfc with prerelease, notification with prerelease, os with prerelease, persisted-scope with prerelease, positioner with prerelease, process with prerelease, shell with prerelease, sql with prerelease, stronghold with prerelease, updater with prerelease, upload with prerelease, websocket with prerelease, window-state with prerelease, authenticator-js with prerelease, autostart-js with prerelease, barcode-scanner-js with prerelease, biometric-js with prerelease, cli-js with prerelease, clipboard-manager-js with prerelease, deep-link-js with prerelease, fs-js with prerelease, global-shortcut-js with prerelease, http-js with prerelease, log-js with prerelease, nfc-js with prerelease, notification-js with prerelease, os-js with prerelease, positioner-js with prerelease, process-js with prerelease, shell-js with prerelease, sql-js with prerelease, store-js with prerelease, stronghold-js with prerelease, updater-js with prerelease, upload-js with prerelease, websocket-js with prerelease, window-state-js with prerelease, haptics with prerelease, haptics-js with prerelease, geolocation with prerelease, geolocation-js with prerelease Planned Package VersionsThe following package releases are the planned based on the context of changes in this pull request.
Add another change file through the GitHub UI by following this link. Read about change files or the docs at github.com/jbolda/covector |
|
yeah adding option to each fetch call would be better because dev doesn't need to read external document for that. |
|
@PeraSite would you like to implement the option in this PR or would you like to close this and create an issue instead of me or someone else can work on it? |
Let me close this PR first. |
When you use the unsafe-headers feature flag, the website displays CORS-related errors, because when you turn on the unsafe-headers feature flag, tauri automatically set the Origin header to localhost.
This is very confusing, and it is impossible to debug unless you look at the source code.
It will have to be up to developer to set up Origin header value not tauri.
And it doesn't even fit the name "unsafe-headers".
In the first place, why tauri filter the headers by the unsafe-headers feature?
When I first used plugin-http, I had a hard time because a specific header was not recognized by tauri.
May I know why this feature was introduced?
If it's a security issue, it should be fully explained in documentation.