Skip to content

Allow Origin header to be set (for non-browser platforms). #888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
steveluscher merged 4 commits into from
Sep 16, 2025
Merged

Allow Origin header to be set (for non-browser platforms). #888

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
14047c2
Allow Origin header to be set (for non-browser platforms).
prashanFOMO Sep 12, 2025
eb4c3f7
Add changeset
prashanFOMO Sep 12, 2025
7274ec5
Runtime error in Node/browser environments in dev
prashanFOMO Sep 15, 2025
695dc5c
Add tests. Allow `Origin` in Node build. Expand on the changeset.
steveluscher Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/eager-lizards-stand.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@solana/rpc-transport-http': minor
---

The React Native and Node builds now permit you to set the `Origin` header. This header continues to be forbidden in the browser build, as it features on the list of forbidden request headers: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_request_header
12 changes: 11 additions & 1 deletion packages/rpc-transport-http/src/__tests__/http-transport-headers-test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ describe('assertIsAllowedHttpRequestHeader', () => {
'Expect',
'Host',
'Keep-Alive',
'Origin',
'Permissions-Policy',
'Proxy-Anything',
'Proxy-Authenticate',
Expand Down Expand Up @@ -64,6 +63,17 @@ describe('assertIsAllowedHttpRequestHeader', () => {
);
});
}
if (__BROWSER__) {
it('throws when called with the `Origin` header', () => {
expect(() => {
assertIsAllowedHttpRequestHeaders({ Origin: 'https://spoofed.site' });
}).toThrow(
new SolanaError(SOLANA_ERROR__RPC__TRANSPORT_HTTP_HEADER_FORBIDDEN, {
headers: ['Origin'],
}),
);
});
}
['Authorization', 'Content-Language', 'Solana-Client'].forEach(allowedHeader => {
it('does not throw when called with the header `' + allowedHeader + '`', () => {
expect(() => {
Expand Down
7 changes: 5 additions & 2 deletions packages/rpc-transport-http/src/http-transport-headers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,10 @@ type ForbiddenHeaders =
| 'Expect'
| 'Host'
| 'Keep-Alive'
| 'Origin'
// Similar to `Accept-Encoding`, we don't have a way to target TypeScript types depending on
// which platform you are authoring for. `Origin` is therefore omitted from the forbidden
// headers type, but is still a runtime error in dev mode when supplied in a browser context.
// | 'Origin'
| 'Permissions-Policy'
| 'Referer'
| 'TE'
Expand Down Expand Up @@ -64,7 +67,6 @@ const FORBIDDEN_HEADERS: Record<string, boolean> = /* @__PURE__ */ Object.assign
expect: true,
host: true,
'keep-alive': true,
origin: true,
'permissions-policy': true,
// Prefix matching is implemented in code, below.
// 'proxy-': true,
Expand All @@ -77,6 +79,7 @@ const FORBIDDEN_HEADERS: Record<string, boolean> = /* @__PURE__ */ Object.assign
via: true,
},
__NODEJS__ ? undefined : { 'accept-encoding': true },
__BROWSER__ ? { origin: true } : undefined,
);

export function assertIsAllowedHttpRequestHeaders(
Expand Down
Loading