Cancel
Showing results for 
Search instead for 
Did you mean: 

MindSphere app origin header

Siemens Genius Siemens Genius
Siemens Genius

As documented in Authentication & Authorization: Calling APIs from Frontend a frontend app needs to set, among others, the origin header. This I do and my app works.

 

However, I notice the following message in the Javascript console of my browser when the app launches:

 

Attempt to set a forbidden header was denied: origin

 

I removed the origin header and the message disappears, and importantly, my app still works!

 

 

I'm interested, what's up here? Why the documented requirement to set the origin header?

3 REPLIES

Re: MindSphere app origin header

Legend
Legend
I would also be really interested in having an official MindSphere devs answer.

Re: MindSphere app origin header

Experimenter
Experimenter

I noticed this too.

 

My assumption is that the author of the mindsphere documentation was using the fetch polyfill for some reason (IE 9?!) instead of the native fetch browser API and therefore hasn't noticed that the Origin header can't be set when using the native implementation. 

 

The fetch spec clearly states which headers have to stay in  the full control of the browser:

 

https://fetch.spec.whatwg.org/#terminology-headers

 

Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Cookie2
Date
DNT
Expect
Host
Keep-Alive
Origin
Proxy-
Sec-
Referer
TE
Trailer
Transfer-Encoding
Upgrade
Via

I think that the mindsphre documentation needs to be improved to reflect the current state of the implementation.

 

Re: MindSphere app origin header

Siemens Genius Siemens Genius
Siemens Genius

We are going to update the documentation.