Koa: req.origin should display the `origin` header if it exists, not the current hostname

origin header should use request.get('origin') better than request.origin.

I think this would be a good change, request.origin isn't used by us for this reason. I think most plugins/users behind a proxy in need of origin get it via request.get anyway. E.g. https://github.com/koajs/cors/blob/master/index.js#L46

If this is done (thus semver-major bump), maybe consider other #904, and dropping https://github.com/koajs/koa/blob/master/lib/application.js#L107?

@jonathanong if you'd like to proceed with a new version, maybe create a v3 milestone as "todos"?

edit oh, the milestone already existed!

👍

What's the expected behaviour here?

if header.origin:
  return header.origin
else
  return this.protocol + this.host // current behaviour

Don't agree with return header.origin when exist, else return protocol + host, For header.origin is mostly used for CORS. I think should return header.origindirectly.

origin should reflect exactly-and-only what exists in the request. Special casing the behavior will be confusing and unexpected, especially when proxies/load balancers/VPNs start getting involved.

Yeah, it was very confusing to me, had to fallback to request.get('origin')

So let me try to understand that. If I want to compose links in my response, that the client can directly follow I have to use the origin header? Is it always guaranteed to be set?

why i use baseURl 127.0.0.1:port/xxxxxxxx in ssr get data, get hostname is { localhost: port } just equal the url ..........

Don't agree with return header.origin when exist, else return protocol + host, For header.origin is mostly used for CORS. I think should return header.origindirectly.

I agree. origin just should indicate where a fetch originates from. Not the host to which the request is being sent.