Missing referer header? #1980
Description
Description
When using meilisearch-js in a browser project (e.g. in meilisearch-ui), I noticed that the requests sent to the Meilisearch instance include the Origin header, but do not include the Referer header. This happens even when the request is initiated from a standard browser environment, and no custom fetch or header logic is added in the app code.
It would be helpful if the browser could include the Referer header in requests to Meilisearch, as this would allow us to implement more flexible or granular CORS policies at the backend Nginx or CDN layer. For example, some infrastructure can use the Referer as an additional check to validate the source of requests, or to fine-tune access control alongside the Origin header.
Expected behavior
I expected the browser requests to include both Origin and Referer headers, as is common with most cross-origin fetches from browsers. This would help with server-side logging, debugging, and allow us to set up more advanced CORS rules in Nginx or a CDN.
Current behavior
Only the Origin header is sent with the requests to the Meilisearch endpoint. The Referer header is missing from the request. This has been observed consistently across multiple browsers.
Screenshots or Logs
No log, just missing the header.
Environment (please complete the following information):
- OS: Debian
- Meilisearch version: meilisearch 1.13.3
- meilisearch-js version:
Meilisearch JS SDK version in use: 0.49.0 - Browser: Firefox 128.11.0esr (64-bit)