Custom protocol on Linux sends empty `Origin` header

[Beanow]

Describe the bug

Using a custom protocol like wry:// from the examples, the browser will send Origin: (blank) to the server.
And any value for Access-Control-Allow-Origin doesn't work, except for *.

Steps To Reproduce

1. Start a Caddy server with the below guide.
   https://gist.github.com/Beanow/ccb667d1d7ffc674dedd7e54a62800ec
2. Start the custom protocol example cargo run --example custom_protocol.
3. Open devtools and run in the console:

fetch('http://localhost:8080/wry').then(res => res.text()).then(console.log)

Notice how the network tab will claim "Origin: wry://examples"
And the server allows it with Access-Control-Allow-Origin: wry://examples.

However looking at the Caddy access logs, the actual origin header was blank.
And the browser blocks the request.

{
	"request": {
		"remote_addr": "172.17.0.1:41812",
		"proto": "HTTP/1.1",
		"method": "GET",
		"host": "localhost:8080",
		"uri": "/wry",
		"headers": {
			"Accept-Encoding": ["gzip, deflate"],
			"Accept-Language": ["en-US"],
			"Connection": ["Keep-Alive"],
			"Origin": [""],
			"Accept": ["*/*"],
			"User-Agent": [
				"Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15"
			]
		}
	},
	"common_log": "172.17.0.1 - - [11/Aug/2021:19:15:56 +0000] \"GET /wry HTTP/1.1\" 200 27",
	"duration": 0.000135124,
	"size": 27,
	"status": 200,
	"resp_headers": {
		"Server": ["Caddy"],
		"Access-Control-Allow-Origin": ["wry://examples"],
		"Content-Type": []
	}
}

Expected behavior

• Making a request from the wry://examples origin, sets the header Origin: wry://examples.
• Given a Access-Control-Allow-Origin: wry://examples response header, the request is not blocked.

Screenshots

Platform and Versions (please complete the following information):
OS: Linux / Ubuntu 20.04 LTS
Rustc: 1.54.0

Would you assign yourself to resolve this bug?

• Yes
• No

Additional context

Possibly related to #348.
Downstream issue tauri-apps/tauri#2327

Other examples are included in the gist/server.

fetch('http://localhost:8080/anything').then(res => res.text()).then(console.log)

For instance does seem to work given the Access-Control-Allow-Origin: *.

[Beanow]

I've tried messing with https://gtk-rs.org/webkit2gtk-rs/webkit2gtk/trait.SecurityManagerExt.html#tymethod.register_uri_scheme_as_cors_enabled
As by the name, that seems logical.

https://github.com/tauri-apps/wry/blob/dev/src/webview/web_context.rs#L298-L301

-    context
-      .security_manager()
-      .ok_or(Error::MissingManager)?
-      .register_uri_scheme_as_secure(name);
+    let secman = context.security_manager().ok_or(Error::MissingManager)?;
+    secman.register_uri_scheme_as_secure(name);
+
+    let wascors = secman.uri_scheme_is_cors_enabled(name);
+    secman.register_uri_scheme_as_cors_enabled(name);
+    let iscors = secman.uri_scheme_is_cors_enabled(name);
+    println!("Was cors? {} {}", name, wascors);
+    println!("Is cors? {} {}", name, iscors);

Was cors? wry false
Is cors? wry true

But seems to make no difference for this issue.

[lemarier]

Already made tons of research on this and it seems Ionic is facing same issue;
#348 (comment)

[Beanow]

Gotcha, yeah I see that issue requested a way to disable CORS. (Not a good idea)
And adds:

Note that CORS can still be solved by backend servers handle it properly.

In the example I've reproduced though that a correctly behaving sever doesn't solve this.
Looking at Ionic's results seems like it's inherent to WK2.

[wusyong]

While I'm asking a few upstream forums like #webkitgtk:matrix.org, there's a workaround that can load HTML file with the URL we choose:
https://developer.apple.com/documentation/webkit/wkwebview/1415004-loadhtmlstring?language=objc
https://webkitgtk.org/reference/webkit2gtk/stable/WebKitWebView.html#webkit-web-view-load-html

The origin of the request will be normal like http://localhost, but other assets will still need to be loaded from custom protocol.
And Access-Control-Allow-Origin must match the exact Origin header like http://localhost
Not sure how difficult will tauri need to refactor with this?
@lucasfernog @lemarier @chippers Do you think this is a viable choice?

[chippers]

I think, this is a reasonable choice. Does webview2 also support this? If we can utilize the browser's native XHR/Fetch requests, that is a big win in my eyes. To make a native (rust side) http client work the exact same along with allowing custom origins is also extra work that we can hopefully avoid doing.

[wusyong]

Ironicly, Windows doesn't suffer from this because it's actually HTTP already.
But its URL is different, this means 2 headers need to be added in Access-Control-Allow-Origin.
Or maybe we find some way to simplified how custom protocol filters on Windows.

[chippers]

Honestly I had forgotten a bit about the Windows implementation. Anything that loads relatively securely and exposes a browser environment as native as possible is a big win in my eyes. Looking at the code again, we are using https with some sort of custom domain. If we can get the origin to match the expected value the server sees, I have 0 problems with it.

[wusyong]

I opened #368 to provide some alternatives to load the page which can have http://localhost as origin and make fetch and XHR works.
I also filed a bug to Webkit's bugzilla hoping they could investigate too.
Do you think tauri can use with_html to load the page while still using custom protocol to load other assets?

[Beanow]

The only drawbacks for this suggestion I can think of, is that if a fictional http(s):// origin is used instead of a custom protocol, having a real server running on that domain (or DNS spoofed/MITMed) wouldn't this be considered same-origin?

Especially if using http://localhost as the origin.

As I agree with @chippers it would be a big win to enable using fetch / xhr securely. Though if that comes at the cost of punching a big hole in the CORS protection, I'd lean towards no fetch / xhr support till WK fixes the bugs xD

We can probably make it more difficult, like using some non-existent TLD and using https. Say https://localdata.tauri as origin. But still seems rather fragile to depend on hoping nobody makes this TLD and nobody issues valid certificates for this domain, etc.