-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ESI include should pass some original req's headers into the new request #5
Comments
Since this package is used officially with Caddy's cache handler, @dunglas might be interested in this or weigh in. |
The specification says that the processor may use the initial request headers, not must. We can create a PR to support that. |
@darkweak correct, but the usability of the ESI implementation is severely limited by some of these headers lacking, it's basically a non starter for many intended use cases. |
Okay, so let's copy the base requests headers 👍 |
We must only pay attention to not leak headers cross origin. 👍 |
Do you want to create the PR for that @dkarlovi? |
Specification says:
(emphasis mine)
When creating the child request, some of the headers need to be included for the child response to be constructed properly, for example
Cookie
/Authorization
headers are required to know the identity of the user for which we're constructing the child response.Security considerations
Some of these headers must NOT be forwarded in cross-origin scenarios. For example,
Cookie
andAuthorization
musn't be passed unless the child request's host, port and scheme all match. IMO the best approach is to have an allow list of headers in general and a separate list of same-origin headers.The text was updated successfully, but these errors were encountered: