5.3.0: Proxy should not rewrite the Origin header for non WS requests #17562
Description
Describe the bug
Originally reported on PR #16558 (comment)
This has broken my app's proxying behavior for the reasons you suspected above.
I am not using WS but I need my host header rewritten without my origin header rewritten, or else my CI fails.
Origin vs. Host Headers: The Key Difference
Host:
Tells the server which website/application is being requested.
Used for virtual hosting (multiple sites on one IP address).
Modified by the proxy when changeOrigin: true to match the target backend.Origin:
Indicates the origin (protocol, domain, port) where the request initiated.
Primarily used for Cross-Origin Resource Sharing (CORS) security.
Not typically modified by proxies, even with changeOrigin: true. This is a browser security mechanism.
This change seems to leave the proxying open to CSRF attacks.
Perhaps it is wanted in a WS context, but I need a way to turn off the origin reassignment.
I'd prefer to have two options (as mentioned above) if you really need to maintain this behavior... rewriteHost and rewriteOrigin, with a warning on the latter
Reproduction
Not available
Steps to reproduce
No response
System Info
Not availableUsed Package Manager
npm
Logs
No response
Validations
- Follow our Code of Conduct
- Read the Contributing Guidelines.
- Read the docs.
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
- Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
- The provided reproduction is a minimal reproducible example of the bug.