clojurereitit

How can I set the origin header param as mandatory in Reitit?

I've a Clojure application with Pedestal & Reitit and I need the origin header param to be mandatory.

;; deps
[io.pedestal/pedestal.service "0.5.5"]
[pedestal/pedestal.jetty "0.5.5"]
[reitit-pedestal "0.5.5"]
[reitit "0.5.5"]

But if I put in my schema, the request throws an exception.

(s/defschema my-request
  {:header {:origin s/Str}})

["/my-route"
    {:get  {:parameters  my-request
            :handler     my-handler}}]

Exception:

:errors {:origin missing-required-key}

{
  "message": "Bad Request",
  "exception": "clojure.lang.ExceptionInfo: clojure.lang.ExceptionInfo in Interceptor :reitit.http.coercion/coerce-request - 
  Request coercion failed: #reitit.coercion.CoercionError{:schema {:origin java.lang.String, Keyword Any}, :errors {:origin missing-required-key}}

Request

curl -X GET "http://localhost:3000/my-route -H  "accept: application/json" "origin: TEST" -H  "user-agent: test"

The CURL request works, the issue is only in Swagger UI with GET method.

It seems that Swagger for get methods doesn't send the origin header param to avoid cors' attacks.

Can I workround this?

Thanks for your help

Solution

  • After I discussed with a colleague he showed me that:

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

    The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path.

    And I found this

    https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

    A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

    Guess what, origin is one of them.

    Have this too. https://bugzilla.mozilla.org/show_bug.cgi?id=1508661

    origin header should not be set for GET and HEAD requests 2 years ago(2018-11-20)

    I tried and inspected my application request in firefox and chrome, they behaviour equal of links.

    I suppose that's it. Thanks