🐛 BUG: Origin header is ignored in 3.25.0 - 3.27.0 versions

[flexchar]

Which Cloudflare product(s) does this pertain to?

Workers Runtime

What version(s) of the tool(s) are you using?

3.25.0

What version of Node are you using?

21.5.0

What operating system are you using?

Mac

Describe the Bug

After upgrading to 3.25.0, Origin header is ignored. Downgrading works as expected.

I have a check that worker must NOT respond unless requests come from my whitelisted domain (think of the hot link protection offered by Cloudflare for images). I noticed that after upgrade those headers never make to my worker.

I use Hono and Postman.

I hope there's a clear indication of how the bug was born - if not, please let me know! I will create a tiny reproduction repo. ✌️

Please provide a link to a minimal reproduction

https://github.com/flexchar/workers-sdk-issue-4849

Please provide any relevant error logs

No error logs appear.

[penalosa]

This should have been fixed in #4812 —could you check if the latest version of Wrangler exhibits the bug?

[afonsocrg]

@penalosa it looks like it. I stumbled on this issue because I'm having a similar error:

I have a React frontend that is making a request to a worker. The Origin header is correctly set by the browser (localhost:5173), which was further confirmed with wireshark. However, when the worker starts processing the request, the Origin header contains the value of the request url (in my case localhost:8787). Since I'm losing the information about the request origin, it's impossible for me to correctly set the Access-Control-Allow-Origin header, which makes the frontend block every request sent to the backend.

I'm having trouble figuring out why the Origin header needs to be set to the request url, and not to its original value (request.headers.get("Origin")). I would be very grateful if someone could clarify that for me!

I will also comment on that PR, since it may be a more appropriate place to ask this question!
Btw, @penalosa the link you gave to the PR has additional characters (--could), which forwards to a 404 error page.

[flexchar]

Hey Somhairle, I never had the issue before so I'm not sure about #4812.

I can confirm it's still an issue in 3.26.0. I had to downgrade to 3.24.0 again. I will make a repro today.

[stefanmaric]

I'm experiencing this same issue with versions 3.25.0, 3.26.0, and 3.27.0.

[flexchar]

Okay, so I made a mistake regarding referer header. It works. I found out about this issue when cors middleware stopped working inside Hono. The middleware only looks for the Origin header thus my confusion. I am sorry for that. I hope we can figure out where origin hides.

The example: https://github.com/flexchar/workers-sdk-issue-4849

[petebacondarwin]

@flexchar - please can you check with the fix in #4950. I.e.

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7843359492/npm-package-wrangler-4950

This should go out in the next release tomorrow.

[flexchar]

I confirm it works as expected, @petebacondarwin. 🤝

[petebacondarwin]

Great! If it's OK I'll close this PR as done and you can expect this to be generally available in the release tomorrow.