-
Notifications
You must be signed in to change notification settings - Fork 513
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting host
header in fetch call
#2369
Comments
I think this is probably one of those cases where you shoulnd't be using fetch. Use |
@ronag does that mean that my application then has to add a dependency on |
Correct. |
fetch should really just be used for cases where isomorphic code is required, e.g. libraries. It's simply not the right tool for back end development in general. |
Ok, that makes sense. Will have a go with that approach. |
This would solve...
See #2322 (comment) and https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#undici---cookie-headers-are-not-cleared-in-cross-domain-redirect-in-undici-fetch-high---cve-2023-45143. In the latest security release,
fetch
doesn't allow setting thehost
header anymore.This leads to problems when the
host
header is a required header, in case you want to do a request to an external application that requires both an IP address and ahost
header value (for routing the request to the right context).A similar bug report here: nodejs/node#50305
The implementation should look like...
A solution could be to have a Node.js CLI flag like
--allowHostHeader
or more generic--allowHeaders=host
, that is handled in undici.I have also considered...
There is no workaround, except using a userland HTTP library like
got
(which does not block thehost
header from being set).The text was updated successfully, but these errors were encountered: