fix: make reverse proxy strip origin/referer hdr#102
Conversation
|
The header change seems sensible, but please don't touch the version number. We'll do that as part of the release process |
Very sorry, didn't mean to overstep. I'll revert that one. |
|
Given that node allows you to set an Origin header as desired and Lamdera backends should have the same capability I’d prefer this was refined to only strip off the value is localhost:$PORT where $PORT is the currently running Lamdera live process port binding. This both removes the browser set origin which isn’t expected while still allowing other intentional Origin headers. |
|
Fair point! I'll make it so |
|
will this suffice? I also stopped removing the referer, it won't make a difference in terms of CORS issues anyway |
Quick Summary: Strip
OriginandRefererheaders in the reverse proxy so that requests fromlamdera live's in-browser fake backend don't appear to originate from a browser, avoiding CORS rejections and other server-side browser-detection issues.SSCCE
-- N/A — this is a tooling fix in the reverse proxy, not an Elm code issue.Additional Details
The
lamdera livedev workflow runs a fake backend in the browser. Requests routed through the reverse proxy (port 8001) carried browser headers likeOriginandReferer, causing some servers to reject them or respond differently than they would to a real backend request. (Concrete example: Azure Entra with Authorization Code flow)Fix: added a
filterstep inmodReq(before the existing header transforms) to dropOriginandReferer. TheUser-Agentwas already being replaced with"node", so this completes the picture of making proxied requests look like they come from a non-browser client.Bumped patch version to
1.4.2.