fix: ensure we do not rewrite external Origin headers in wrangler dev

[petebacondarwin]

In #4812 we tried to fix the Origin headers to match the Host header but were overzealous and rewrote Origin headers for external origins (outside of the proxy server's origin).

This is now fixed, and moreover we rewrite any headers that refer to the proxy server on the request with the configured host and vice versa on the response.

This should ensure that CORS is not broken in browsers when a different host is being simulated based on routes in the Wrangler configuration.

Author has addressed the following:

• Tests
  • Included
  • Not necessary because:
• Changeset (Changeset guidelines)
  • Included
  • Not necessary because:
• Associated docs
  • Issue(s)/PR(s):
  • Not necessary because: bug fix

[changeset-bot]

🦋 Changeset detected

Latest commit: ded262e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
miniflare	Patch
wrangler	Patch
@cloudflare/pages-shared	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

A wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7843359492/npm-package-wrangler-4950

You can reference the automatically updated head of this PR with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/4950/npm-package-wrangler-4950

Or you can use npx with this latest build directly:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7843359492/npm-package-wrangler-4950 dev path/to/script.js

Additional artifacts:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7843359492/npm-package-create-cloudflare-4950 --no-auto-update

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7843359492/npm-package-miniflare-4950

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/7843359492/npm-package-cloudflare-pages-shared-4950

Note that these links will no longer work once the GitHub Actions artifact expires.

---

[email protected] includes the following runtime dependencies:

Package	Constraint	Resolved
miniflare	workspace:*	3.20240129.1
workerd	1.20240129.0	1.20240129.0
workerd --version	1.20240129.0	2024-01-29

Please ensure constraints are pinned, and miniflare/workerd minor versions match.

[codecov]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (ffafe8a) 70.43% compared to head (ded262e) 70.52%.
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4950      +/-   ##
==========================================
+ Coverage   70.43%   70.52%   +0.08%     
==========================================
  Files         295      295              
  Lines       15407    15419      +12     
  Branches     3948     3953       +5     
==========================================
+ Hits        10852    10874      +22     
+ Misses       4555     4545      -10     

Files	Coverage Δ
packages/wrangler/src/api/startDevWorker/events.ts	15.38% <ø> (ø)
packages/wrangler/src/dev/remote.tsx	7.92% <0.00%> (ø)

... and 8 files with indirect coverage changes

[petebacondarwin]

I noted that we had to make the headers record allow undefined values just to accommodate this Cookie assignment. But in reality we don't actually want to assign undefined to Cookie, since the code later one would result in the Cookie looking like: previous-cookies;undefined.

So I fixed this up here, removed the undefined from the type and was able to avoid a ! operator later on.

[RamIdeas]

This is fair enough. And is probably the "correct" solution. But this type will eventually be exposed to users to write themselves, and I believe allowing undefined will be more ergonomic and subtly improve DX

[petebacondarwin]

I'm not convinced that allowing undefined here adds to user DX. If anything it creates a mental overhead because the user has to think about what setting to undefined actually means (when it actually means ignore this header and not remove the original header).

[petebacondarwin]

Adding these here also fixes the remote dev mode Origin header rewriting!

[RamIdeas]

This might be a bit side-effecty... This will add a MF-Original-URL header which won't be interpreted and removed by miniflare in remote mode.

[petebacondarwin]

Yeah I was a bit worried about that. Should we create new override properties that are specifically for header rewrites?

[petebacondarwin]

Actually, as far as I can tell MF-Original-URL and MF-Disable-Pretty-Error are always set on every proxy worker request whether in local or remote mode. So I don't think that this change actually introduces any new side effect.

Whether those headers should be added in remote mode is a question for another PR I think.

[RamIdeas]

Yeah let's follow up in another PR if needed.

I think in remote mode, the inner url overrides aren't set so the header wouldn't have been set?

[petebacondarwin]

https://github.com/cloudflare/workers-sdk/blob/main/packages/wrangler/templates/startDevWorker/ProxyWorker.ts#L125-L126

[RamIdeas]

This might be a bit side-effecty... This will add a MF-Original-URL header which won't be interpreted and removed by miniflare in remote mode.

[RamIdeas]

This is fair enough. And is probably the "correct" solution. But this type will eventually be exposed to users to write themselves, and I believe allowing undefined will be more ergonomic and subtly improve DX

[RamIdeas]

Access-Control-Allow-Origin is a response header so I assume you expect this function to be used in both directions?

[petebacondarwin]

I'll tweak the description.

[RamIdeas]

Ah yes both directions! This is clever. Now the browser will have no idea that the URL was faked inside the worker either 😄

Small bug/typo:

Suggested change

	rewriteUrlRelatedHeaders(headers, innerUrl, outerUrl);
	rewriteUrlRelatedHeaders(res.headers, innerUrl, outerUrl);

But you might not be able to mutate response headers without:

Suggested change

	rewriteUrlRelatedHeaders(headers, innerUrl, outerUrl);
	res = new Response(res);
	rewriteUrlRelatedHeaders(res.headers, innerUrl, outerUrl);

[petebacondarwin]

That's not a typo! It's a bona fide mistake! Thanks for spotting that.

[RamIdeas]

I also think this is a "new"-ish feature that should get its own changeset and documentation. It's really cool that a dev could write Response.redirect(`${url.origin}/redirect/path`) and that would "just work"™️ in wrangler dev [--remote] – we should shout from the rooftops!

[petebacondarwin]

Strictly this was already part of the old proxy:

workers-sdk/packages/wrangler/src/dev/proxy.ts

Line 70 in d637bd5

function rewriteRemoteHostToLocalHostInHeaders(

[petebacondarwin]

Fixed this problem in a fixup commit and added a test to prove it.

[petebacondarwin]

Thanks for the review

[petebacondarwin]

I'm not convinced that allowing undefined here adds to user DX. If anything it creates a mental overhead because the user has to think about what setting to undefined actually means (when it actually means ignore this header and not remove the original header).

[petebacondarwin]

Yeah I was a bit worried about that. Should we create new override properties that are specifically for header rewrites?

[petebacondarwin]

That's not a typo! It's a bona fide mistake! Thanks for spotting that.

[petebacondarwin]

I'll tweak the description.

[RamIdeas]

Happy to merge. Might want to hold off merging since I believe we want to get a hot fix out today.

One remaining point (you decide whether to address or not): should we print something to the console to let the user know the origin/host is being rewritten across all request/response headers inc Set-Cookie (and not the body) and let them know they can opt-out by...?

[petebacondarwin]

Happy to merge. Might want to hold off merging since I believe we want to get a hot fix out today.

One remaining point (you decide whether to address or not): should we print something to the console to let the user know the origin/host is being rewritten across all request/response headers inc Set-Cookie (and not the body) and let them know they can opt-out by...?

Yeah good question... we have not previously had a message for rewriting the request.url, and prior to 3.18, I believe that we would have been rewriting response headers in this way anyway.

I've put some debug logging messages in, so at least if the user is getting confused it could be analysed via increasing the logging level. I forgot this is workerd and can't use the Wrangler logger here...

[penalosa]

The edge-preview-authenticated-proxy stuff here looks good!

[RamIdeas]

I've put some debug logging messages in, so at least if the user is getting confused it could be analysed via increasing the logging level. I forgot this is workerd and can't use the Wrangler logger here...

In remote mode, yeah no, but locally workerd logs now reach the log file (not the terminal but that's what you were going for anyway)

[petebacondarwin]

In remote mode, yeah no, but locally workerd logs now reach the log file (not the terminal but that's what you were going for anyway)

Hmm I tried adding console.debug() logs to the ProxyWorker but these always appeared in the output of wrangler dev (whatever the logging level). So I think this is too much noise. Perhaps we need to tweak the Proxy Worker's Miniflare configuration?

I think we can leave this to another time, or if someone gets confused by this rewriting.

[jfnault-seedbox]

@petebacondarwin Can you please take a look at
#5221

I think this PR is related, I had couple of notes:
#5221 (comment)