fix(api-block): stop spoofing a browser fingerprint on outbound HTTP requests#5496
Conversation
…requests getDefaultHeaders() sent a Chrome User-Agent, a Referer pointing at Sim's own app, and mismatched Sec-Ch-Ua client hints on every API block request. Atlassian's Jira/Confluence Cloud REST API (and other browser-aware anti-CSRF/bot-defense layers) reject requests carrying a browser User-Agent with 403 "XSRF check failed", even with a valid Basic-auth header and X-Atlassian-Token: no-check set. Default headers now identify honestly as Sim, matching how other HTTP clients (curl, Postman, axios) behave. User-supplied headers still override any default.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Tests assert the new defaults, that Referer is absent unless the user sets it, and that custom headers still override defaults. Shared test mocks in Reviewed by Cursor Bugbot for commit 326ae91. Configure here. |
Greptile SummaryThis PR removes browser-fingerprint headers (
Confidence Score: 5/5Safe to merge — the change removes outbound headers that were actively causing request failures and replaces them with a correct server-to-server identity. User-supplied headers continue to override defaults unchanged. The diff is minimal and surgical: four hardcoded browser-fingerprint headers are deleted from No files require special attention. Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant U as User / Workflow
participant AB as API Block
participant GDH as getDefaultHeaders()
participant T as Target API (e.g. Jira)
U->>AB: Execute HTTP request
AB->>GDH: getDefaultHeaders(customHeaders, url)
Note over GDH: Before: User-Agent = Chrome 135<br/>Referer = sim.ai<br/>Sec-Ch-Ua* = Chromium v91
Note over GDH: After: User-Agent = Sim/1.0 (+https://sim.ai)<br/>No Referer, no Sec-Ch-Ua*
GDH-->>AB: "{ User-Agent, Accept, Accept-Encoding, Cache-Control, Connection, Host, ...customHeaders }"
AB->>T: "fetch(url, { headers })"
alt Before fix
T-->>AB: 403 XSRF check failed
else After fix
T-->>AB: 201 Created
end
AB-->>U: Response
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant U as User / Workflow
participant AB as API Block
participant GDH as getDefaultHeaders()
participant T as Target API (e.g. Jira)
U->>AB: Execute HTTP request
AB->>GDH: getDefaultHeaders(customHeaders, url)
Note over GDH: Before: User-Agent = Chrome 135<br/>Referer = sim.ai<br/>Sec-Ch-Ua* = Chromium v91
Note over GDH: After: User-Agent = Sim/1.0 (+https://sim.ai)<br/>No Referer, no Sec-Ch-Ua*
GDH-->>AB: "{ User-Agent, Accept, Accept-Encoding, Cache-Control, Connection, Host, ...customHeaders }"
AB->>T: "fetch(url, { headers })"
alt Before fix
T-->>AB: 403 XSRF check failed
else After fix
T-->>AB: 201 Created
end
AB-->>U: Response
Reviews (2): Last reviewed commit: "fix(testing): sync shared tool-tester mo..." | Re-trigger Greptile |
createMockHeaders in the shared @sim/testing tool-tester builder still hardcoded the old Chrome UA / Referer / Sec-Ch-Ua fallback values. It was unreachable in current tests but would silently diverge from production getDefaultHeaders() for any future test hitting its fallback path.
|
@greptileai review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 326ae91. Configure here.
Summary
403 XSRF check failed, even with a valid Basic-auth header andX-Atlassian-Token: no-checkset. Identical requests via curl return201every time.getDefaultHeaders()(apps/sim/tools/http/utils.ts) unconditionally sent a ChromeUser-Agent, aRefererpointing at Sim's own app domain, and mismatchedSec-Ch-Ua*client hints (UA claims Chrome 135, Sec-Ch-Ua claims Chromium v91) on every outbound API block request. Atlassian's own support KB confirms REST calls carrying a browser User-Agent can fail CSRF checks independent ofX-Atlassian-Token.Sim/1.0 (+https://sim.ai), matching how curl/Postman/axios identify themselves. DroppedRefererandSec-Ch-Ua*entirely — none are meaningful for a server-to-server API client. User-supplied headers continue to override any default (unchanged).Test plan
bunx vitest run tools/http/request.test.ts— 26/26 pass (updated assertions for the new defaults + added coverage for default-absent and user-override cases)tsc --noEmitclean on touched filesbiome checkclean on touched files