From 25656cef672e3beaf9cf330e674c9bd688587589 Mon Sep 17 00:00:00 2001
From: alex <alex@dytry.ch>
Date: Tue, 9 Jul 2024 11:08:28 +0100
Subject: [PATCH] Allow null origins on dotcom worker requests (#4105)

GET requests to the same origin don't send the `origin` headers. in
other situations we care about (CORS requests) we want to block unknown
origins, but if the origin header is missing it's probably because this
is a same-origin request, so we should allow it. Fixes an issue loading
bookmarks on mobile devices

### Change type

- [x] `bugfix`
---
 apps/dotcom-worker/src/worker.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/dotcom-worker/src/worker.ts b/apps/dotcom-worker/src/worker.ts
index c7780d190..aaed53bd7 100644
--- a/apps/dotcom-worker/src/worker.ts
+++ b/apps/dotcom-worker/src/worker.ts
@@ -105,7 +105,11 @@ async function blockUnknownOrigins(request: Request, env: Environment) {
 	}
 
 	const origin = request.headers.get('origin')
-	if (env.IS_LOCAL !== 'true' && (!origin || !isAllowedOrigin(origin))) {
+
+	// if there's no origin, this cannot be a cross-origin request, so we allow it.
+	if (!origin) return undefined
+
+	if (env.IS_LOCAL !== 'true' && !isAllowedOrigin(origin)) {
 		console.error('Attempting to connect from an invalid origin:', origin, env, request)
 		return new Response('Not allowed', { status: 403 })
 	}