Pass headers to feed generator #2030
Conversation
| const headers: Record<string, string> = {} | ||
| for (const [key, value] of Object.entries(req.headers)) { | ||
| if (typeof value === 'string') { | ||
| headers[key] = value | ||
| } | ||
| } |
There was a problem hiding this comment.
We'll want to avoid passing through hop-by-hop headers, which include the following:
- connection
- keep-alive
- proxy-authenticate
- proxy-authorization
- te
- trailer
- transfer-encoding
- upgrade
The connection header itself may list additional hop-by-hop headers as well—this is all described a bit on mdn: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection. We probably also want to avoid passing through the host header, since the host is different in the upstream request.
There was a problem hiding this comment.
I think there's enough complexity with the hop-by-hop headers that we may just want to special-case accept-language for now until we can do a more rigorous pass on this.
@CooperEdmunds are there any other headers that you'd like to have passed through to the feed generator?
There was a problem hiding this comment.
accept-language is sufficient. I'll make that change.
There was a problem hiding this comment.
yeah, my intuition would be to pass-through only an allow-list of headers, not all-by-default.
In addition to divy's list above, there are some security/privacy sensitive headers like X-Real-IP, X-Forwarded-Proto, Strict-Transport-Security, Cookie, etc.
Other ones I could see wanting to pass through are:
Accept(content-negotiation)Cache-Control(eg, if trying to cache-bust?)If-Modified-Since(cache control)Max-Forwards(prevent loops!)Origin(for CORS? and logging? possible privacy concern?)Referer(possible privacy concern?)User-AgentDNT(do-not-track)
Forwards headers from getFeed req to the feed generator. In light of this PR adding an Accept-Language header to requests from the frontend, this will enable feed generators to respect the user's language preferences.