#8185 `wrangler dev` strips port from `Origin` header when running with `--host`
Bug reproduces on wrangler 4.60.0 - port stripped from Origin/Referer headers with --host flag
Prioritize for fix - open almost a year with no progress
Analysis Report
Issue Review: cloudflare/workers-sdk#8185
Summary
wrangler dev strips port from Origin and Referer headers when using the --host flag.
Findings
- Created: 2025-02-19
- Updated: 2025-10-30
- Version: 3.109.2 → 4.60.0 (current)
- Component: wrangler dev
- Labels: bug
- Comments: 0
Key Evidence
- No merged PRs found that reference this issue or fix the Origin/Referer header handling with
--host - Not mentioned in CHANGELOG - no entry found for issue #8185
- Reproduction successful - Bug confirmed on wrangler 4.60.0:
- Without
--host: Headers pass through correctly with port - With
--host localhost:4000: Port is stripped from Origin (http://localhost) and Referer (http://localhost/some/path)
- Without
- Issue has clear reproduction steps and minimal example provided by reporter
Reproduction Results
# Without --host (CORRECT):
Host: localhost:8787
Origin: http://localhost:8787
Referer: http://localhost:8787/some/path
# With --host localhost:4000 (BUG):
Host: localhost:4000
Origin: http://localhost
Referer: http://localhost/some/path
Recommendation
Status: KEEP OPEN
Reasoning: The bug reproduces on the latest wrangler version (4.60.0). This is a valid, reproducible bug with clear steps and no evidence of any fix having been merged. The issue affects developers using the --host flag who rely on accurate Origin/Referer headers for CORS or authentication workflows.
Action: Prioritize for fix - this bug has been open for almost a year with no progress. Consider adding to a sprint for resolution.
Solution Recommendation
Root Cause Analysis
File: packages/wrangler/src/api/startDevWorker/LocalRuntimeController.ts
Lines: 352-356
userWorkerInnerUrlOverrides: {
protocol: data.config?.dev?.origin?.secure ? "https:" : "http:",
hostname: data.config?.dev?.origin?.hostname,
port: data.config?.dev?.origin?.hostname ? "" : undefined, // BUG: explicitly clears port
},
When a hostname is provided via --host, the code sets port: "" which explicitly clears the port. This affects Origin and Referer headers that are rewritten in ProxyWorker.ts.
Same issue exists in:
packages/wrangler/src/api/startDevWorker/MultiworkerRuntimeController.ts:245-249
Proposed Solution
Remove the port override when hostname is set. The port should come from the original request URL:
// BEFORE:
userWorkerInnerUrlOverrides: {
protocol: data.config?.dev?.origin?.secure ? "https:" : "http:",
hostname: data.config?.dev?.origin?.hostname,
port: data.config?.dev?.origin?.hostname ? "" : undefined,
},
// AFTER:
userWorkerInnerUrlOverrides: {
protocol: data.config?.dev?.origin?.secure ? "https:" : "http:",
hostname: data.config?.dev?.origin?.hostname,
// Don't override port - let it come from the original request URL
},
Implementation Difficulty: Easy
| Factor | Assessment |
|---|---|
| Lines of code | Single line removal in 2 files |
| Risk | Low - conservative fix that removes problematic behavior |
| Testing | Easy - existing e2e test infrastructure |
| Scope | 2 files |
| Breaking changes | None - fixes incorrect behavior |
Files to Modify
packages/wrangler/src/api/startDevWorker/LocalRuntimeController.ts- Remove line 355packages/wrangler/src/api/startDevWorker/MultiworkerRuntimeController.ts- Remove line 248
Testing Recommendations
Add to packages/wrangler/e2e/dev.test.ts:
describe("--host flag", () => {
it("preserves port in Origin header when using --host", async () => {
// Worker that echoes headers
const response = await fetch(url, {
headers: {
'Origin': `http://localhost:${port}`,
'Referer': `http://localhost:${port}/some/path`,
}
});
const data = await response.json();
expect(data.origin).toContain(`:${port}`);
expect(data.referer).toContain(`:${port}`);
});
});
Notes & Feedback (0)
No notes yet.