Skip to content

fix(proxy): don't forward the caller's Cookie/Origin to the target#125

Open
matthewhardern wants to merge 2 commits into
tscircuit:mainfrom
matthewhardern:fix/proxy-no-leak-caller-cookies
Open

fix(proxy): don't forward the caller's Cookie/Origin to the target#125
matthewhardern wants to merge 2 commits into
tscircuit:mainfrom
matthewhardern:fix/proxy-no-leak-caller-cookies

Conversation

@matthewhardern
Copy link
Copy Markdown

@matthewhardern matthewhardern commented May 29, 2026
edited
Loading

Summary

  • the /proxy route copied the caller's headers via new Headers(req.headers) and only overrode Cookie/Origin/Referer when the matching X-Sender-* header was present, so when it wasn't, the caller's own headers leaked through to the proxied third-party target
  • in tsci dev / the hosted editor this forwards the browser's localhost cookies (cookie-consent + PostHog analytics) to easyeda.com; easyeda's CloudFront WAF rejects the request with 403, breaking JLCPCB component import. It also leaks session/analytics cookies to a third party
  • clear inherited Cookie/Origin/Referer (and the Sec-Fetch-* fetch-metadata headers) before applying X-Sender-*, making X-Sender-* the sole source of those request-identity headers
  • add regression tests: caller Cookie/Origin are not forwarded; X-Sender-Cookie/X-Sender-Origin still are

Repro: with an accumulated browser cookie, POST /proxy to X-Target-Url: https://easyeda.com/api/components/search returns 403; the identical request without the caller cookie returns 200. Bisecting showed the forwarded Cookie was the trigger (not IP, rate-limiting, CORS, or TLS fingerprint).

Testing

  • bun test tests/routes/proxy.test.ts
  • bunx tsc --noEmit

fix(proxy): don't forward caller's Cookie/Origin to target
15adb8a 
The /proxy route copied the caller's request headers via
new Headers(req.headers) and only *overrode* Cookie/Origin/Referer
when X-Sender-* was present — so a browser's own (localhost) cookies
leaked to the proxied third-party target.

This (a) leaks session/analytics cookies to a third party and
(b) trips the target's WAF: easyeda's CloudFront returns 403 when the
forwarded request carries the caller's localhost cookies, breaking
JLCPCB component import in tsci dev / the hosted editor.

Clear inherited Cookie/Origin/Referer (and Sec-Fetch-* fetch metadata)
before applying X-Sender-* overrides, making X-Sender-* the sole source
of those request-identity headers. Adds regression tests.
imrishabh18
imrishabh18 reviewed May 29, 2026
View reviewed changes
Comment thread tests/routes/proxy.test.ts Outdated
@matthewhardern
test(proxy): move fake target server into a fixture
ddac99c 
Address review: replace the inline Bun.serve mock servers in proxy.test.ts
with a reusable getFakeTargetServer fixture. Also adds a WAF-style test
(403 on any forwarded Cookie -> 200 after the fix) using the same fixture.
imrishabh18
imrishabh18 approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@imrishabh18 imrishabh18 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@imrishabh18 imrishabh18 requested a review from seveibar May 29, 2026 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imrishabh18 imrishabh18 imrishabh18 approved these changes

@seveibar seveibar Awaiting requested review from seveibar

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewhardern @imrishabh18