fix: ctx.request.origin should respect proxy flag via X-Forwarded-Proto#1940
Open
guoyangzhen wants to merge 1 commit intokoajs:masterfrom
Open
fix: ctx.request.origin should respect proxy flag via X-Forwarded-Proto#1940guoyangzhen wants to merge 1 commit intokoajs:masterfrom
guoyangzhen wants to merge 1 commit intokoajs:masterfrom
Conversation
Fixes koajs#1746 The origin getter returned this.req.headers.origin (the CORS Origin header) which ignores the proxy flag. Changed to construct origin from protocol and host getters, which already respect X-Forwarded-Proto and X-Forwarded-Host when app.proxy is true.
guoyangzhen
commented
Apr 2, 2026
Author
guoyangzhen
left a comment
guoyangzhen
left a comment
There was a problem hiding this comment.
The CI failure is because this PR changes the semantics of ctx.origin:
Before: Returns the Origin HTTP request header (used for CORS)
After: Constructs protocol://host from the request URL
The test sets headers.origin = 'http://example.com' and headers.host = 'localhost'.
- Old behavior: returns
http://example.com(the Origin header) - New behavior: returns
http://localhost(constructed from host)
These serve different purposes. The Origin header is used for CORS, while protocol://host is the request's actual URL origin. If the intent is to provide the request URL origin, consider adding a separate getter (e.g., request.urlOrigin) instead of changing the existing ctx.origin behavior, which would be a breaking change for CORS middleware.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1746
Problem
With
app.proxy = true,ctx.request.originignoresX-Forwarded-Protoand always returnshttp://. This is because the getter returnsthis.req.headers.origin(the CORS Origin header) instead of constructing the origin from the request URL.Meanwhile
ctx.protocolcorrectly returnshttpsfromX-Forwarded-Proto, andctx.hostcorrectly readsX-Forwarded-Host.Fix
Change
origingetter to construct${protocol}://${host}using the existing getters that already respect the proxy flag. Returnsnullwhen host is empty (maintaining backward compatibility for cases where no host header is present).Test
With nginx proxy passing
X-Forwarded-Proto: httpsandX-Forwarded-Host: mywebsite.com:ctx.request.origin=http://mywebsite.com(from raw Origin header)ctx.request.origin=https://mywebsite.com(from proxy headers)