I've a Clojure application with Pedestal & Reitit and I need the origin header param to be mandatory.
;; deps
[io.pedestal/pedestal.service "0.5.5"]
[pedestal/pedestal.jetty "0.5.5"]
[reitit-pedestal "0.5.5"]
[reitit "0.5.5"]
But if I put in my schema, the request throws an exception.
(s/defschema my-request
{:header {:origin s/Str}})
["/my-route"
{:get {:parameters my-request
:handler my-handler}}]
Exception:
:errors {:origin missing-required-key}
{
"message": "Bad Request",
"exception": "clojure.lang.ExceptionInfo: clojure.lang.ExceptionInfo in Interceptor :reitit.http.coercion/coerce-request -
Request coercion failed: #reitit.coercion.CoercionError{:schema {:origin java.lang.String, Keyword Any}, :errors {:origin missing-required-key}}
Request
curl -X GET "http://localhost:3000/my-route -H "accept: application/json" "origin: TEST" -H "user-agent: test"
The CURL request works, the issue is only in Swagger UI with GET method.
It seems that Swagger for get methods doesn't send the origin header param to avoid cors' attacks.
Can I workround this?
Thanks for your help
After I discussed with a colleague he showed me that:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
And I found this
https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
Guess what, origin is one of them.
Have this too. https://bugzilla.mozilla.org/show_bug.cgi?id=1508661
I tried and inspected my application request in firefox and chrome, they behaviour equal of links.
I suppose that's it. Thanks