Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. (#1205)

jacopoc · web-flow · commit 608360047dc6 · 2025-12-02T09:56:09.000Z
diff --git a/src/server/sse.test.ts b/src/server/sse.test.ts
@@ -547,6 +547,27 @@ describe.each(zodTestMatrix)('$zodVersionLabel', (entry: ZodMatrixEntry) => {
                     expect(mockHandleRes.end).toHaveBeenCalledWith('Accepted');
                 });
 
+                it('should accept requests without origin headers', async () => {
+                    const mockRes = createMockResponse();
+                    const transport = new SSEServerTransport('/messages', mockRes, {
+                        allowedOrigins: ['http://localhost:3000', 'https://example.com'],
+                        enableDnsRebindingProtection: true
+                    });
+                    await transport.start();
+
+                    const mockReq = createMockRequest({
+                        headers: {
+                            'content-type': 'application/json'
+                        }
+                    });
+                    const mockHandleRes = createMockResponse();
+
+                    await transport.handlePostMessage(mockReq, mockHandleRes, { jsonrpc: '2.0', method: 'test' });
+
+                    expect(mockHandleRes.writeHead).toHaveBeenCalledWith(202);
+                    expect(mockHandleRes.end).toHaveBeenCalledWith('Accepted');
+                });
+
                 it('should reject requests with disallowed origin headers', async () => {
                     const mockRes = createMockResponse();
                     const transport = new SSEServerTransport('/messages', mockRes, {
diff --git a/src/server/sse.ts b/src/server/sse.ts
@@ -79,7 +79,7 @@ export class SSEServerTransport implements Transport {
         // Validate Origin header if allowedOrigins is configured
         if (this._options.allowedOrigins && this._options.allowedOrigins.length > 0) {
             const originHeader = req.headers.origin;
-            if (!originHeader || !this._options.allowedOrigins.includes(originHeader)) {
+            if (originHeader && !this._options.allowedOrigins.includes(originHeader)) {
                 return `Invalid Origin header: ${originHeader}`;
             }
         }
diff --git a/src/server/streamableHttp.test.ts b/src/server/streamableHttp.test.ts
@@ -2678,6 +2678,29 @@ describe.each(zodTestMatrix)('$zodVersionLabel', (entry: ZodMatrixEntry) => {
                 const body = await response.json();
                 expect(body.error.message).toBe('Invalid Origin header: http://evil.com');
             });
+
+            it('should accept requests without origin headers', async () => {
+                const result = await createTestServerWithDnsProtection({
+                    sessionIdGenerator: undefined,
+                    allowedOrigins: ['http://localhost:3000', 'https://example.com'],
+                    enableDnsRebindingProtection: true
+                });
+                server = result.server;
+                transport = result.transport;
+                baseUrl = result.baseUrl;
+
+                const response = await fetch(baseUrl, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        Accept: 'application/json, text/event-stream'
+                    },
+                    body: JSON.stringify(TEST_MESSAGES.initialize)
+                });
+
+                // Should pass even with no Origin headers because requests that do not come from browsers may not have Origin and DNS rebinding attacks can only be performed via browsers
+                expect(response.status).toBe(200);
+            });
         });
 
         describe('enableDnsRebindingProtection option', () => {
diff --git a/src/server/streamableHttp.ts b/src/server/streamableHttp.ts
@@ -228,7 +228,7 @@ export class StreamableHTTPServerTransport implements Transport {
         // Validate Origin header if allowedOrigins is configured
         if (this._allowedOrigins && this._allowedOrigins.length > 0) {
             const originHeader = req.headers.origin;
-            if (!originHeader || !this._allowedOrigins.includes(originHeader)) {
+            if (originHeader && !this._allowedOrigins.includes(originHeader)) {
                 return `Invalid Origin header: ${originHeader}`;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ export class SSEServerTransport implements Transport {`
`79`	`79`	`// Validate Origin header if allowedOrigins is configured`
`80`	`80`	`if (this._options.allowedOrigins && this._options.allowedOrigins.length > 0) {`
`81`	`81`	`const originHeader = req.headers.origin;`
`82`		`- if (!originHeader \|\| !this._options.allowedOrigins.includes(originHeader)) {`
	`82`	`+ if (originHeader && !this._options.allowedOrigins.includes(originHeader)) {`
`83`	`83`	return `Invalid Origin header: ${originHeader}`;
`84`	`84`	`}`
`85`	`85`	`}`
Original file line number	Diff line number	Diff line change
`@@ -228,7 +228,7 @@ export class StreamableHTTPServerTransport implements Transport {`
`228`	`228`	`// Validate Origin header if allowedOrigins is configured`
`229`	`229`	`if (this._allowedOrigins && this._allowedOrigins.length > 0) {`
`230`	`230`	`const originHeader = req.headers.origin;`
`231`		`- if (!originHeader \|\| !this._allowedOrigins.includes(originHeader)) {`
	`231`	`+ if (originHeader && !this._allowedOrigins.includes(originHeader)) {`
`232`	`232`	return `Invalid Origin header: ${originHeader}`;
`233`	`233`	`}`
`234`	`234`	`}`