starred/hoppscotch

Fork 0

mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-04-26 01:06:00 +03:00

[GH-ISSUE #2633] [bug]: Unexpected request header modification when using browser extension as proxy #870

New issue

Open

opened 2026-03-16 17:30:05 +03:00 by kerem · 3 comments

kerem commented

2026-03-16 17:30:05 +03:00

Owner

Originally created by @rizdaprasetya on GitHub (Sep 5, 2022).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/2633

Is there an existing issue for this?

I have searched the existing issues

Current behavior

On https://hoppscotch.io/ , using this feature Use the browser extension to send requests (if present), when I create the following request:
Screen Shot 2022-09-05 at 15 46 39

CURL equivalent:

curl --request POST \
  --url 'https://hookb.in/YVkaPWyrBbCQjy0QmeZp?param=test' \
  --header 'content-type: application/json' \
  --header 'origin: https://mycustomorigin.com' \
  --header 'referer: https://mycustomreferrer.com/' \
  --header 'user-agent: mycustom-UA' \
  --header 'x-source: mycustom-source' \
  --data '{}'

Then I inspect the request on the destination, and get the following result instead:

## HTTP HEADERS
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7
content-length: 2
content-type: application/json
host: hookb.in
origin: chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld
sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: none
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
x-source: mycustom-source

## QUERY STRING
param: test

## BODY
{}

unexpectedly some of the headers are modified:

from origin: https://mycustomorigin.com to origin: chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld.
from user-agent: mycustom-UA to user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
removed header referer: https://mycustomreferrer.com/
also added some additional headers
Looks like the Browser Extension is overwriting it. (I guess this is a technical limitation, but can we do anything as workaround?)

Why is it concerning?

In some valid use case, you really want to send a custom HTTP headers including user-agent, origin etc. .e.g.
- in case like to debug API issue, or
- to reproduce exact same request created by other client.
- You want to emulate browser request, with device specific user-agent).
- Some API even specifically reject request if origin header contains non-whitelisted value.

So having this is important.

Maybe instead of Proxy scotch overwriting the actual user-agent header, it should add its own headers e.g. x-requested-via-proxy-agent: Proxyscotch/1.1

Steps to reproduce

Prepare endpoint that can inspect HTTP request. I used https://hookbin.com/. e.g. I will create endpoint & get URL https://hookb.in/YVkaPWyrBbCQjy0QmeZp
Ensure you install Hoppscotch Browser Extension, On https://hoppscotch.io/ , using this feature Use the browser extension to send requests (if present)
import CURL provided above, modify the URL with URL you get from step 1.
Send request
Inspect the HTTP request result on the destination (in my case I refreshed the Hookbin page I created on step 1.)
You will get same result as mine above.

Environment

Production

Version

Cloud

Originally created by @rizdaprasetya on GitHub (Sep 5, 2022). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/2633 ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current behavior On https://hoppscotch.io/ , using this feature `Use the browser extension to send requests (if present)`, when I create the following request: <img width="1098" alt="Screen Shot 2022-09-05 at 15 46 39" src="https://user-images.githubusercontent.com/13027142/188408863-5ae7c075-9f76-4113-8bd5-f4a441898411.png"> CURL equivalent: ``` curl --request POST \ --url 'https://hookb.in/YVkaPWyrBbCQjy0QmeZp?param=test' \ --header 'content-type: application/json' \ --header 'origin: https://mycustomorigin.com' \ --header 'referer: https://mycustomreferrer.com/' \ --header 'user-agent: mycustom-UA' \ --header 'x-source: mycustom-source' \ --data '{}' ``` Then I inspect the request on the destination, and get the following result instead: ``` ## HTTP HEADERS accept: application/json, text/plain, */* accept-encoding: gzip, deflate, br accept-language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7 content-length: 2 content-type: application/json host: hookb.in origin: chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: none user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 x-source: mycustom-source ## QUERY STRING param: test ## BODY {} ``` unexpectedly some of the headers are modified: - from `origin: https://mycustomorigin.com` to `origin: chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld`. - from `user-agent: mycustom-UA` to `user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36` - removed header `referer: https://mycustomreferrer.com/` - also added some additional headers Looks like the Browser Extension is overwriting it. (I guess this is a technical limitation, but can we do anything as workaround?) ### Why is it concerning? - In some valid use case, you really want to send a custom HTTP headers including `user-agent`, `origin` etc. .e.g. - in case like to debug API issue, or - to reproduce exact same request created by other client. - You want to emulate browser request, with device specific user-agent). - Some API even specifically reject request if origin header contains non-whitelisted value. So having this is important. Maybe instead of Proxy scotch overwriting the actual `user-agent` header, it should add its own headers e.g. `x-requested-via-proxy-agent: Proxyscotch/1.1` ### Steps to reproduce 1. Prepare endpoint that can inspect HTTP request. I used `https://hookbin.com/`. e.g. I will create endpoint & get URL `https://hookb.in/YVkaPWyrBbCQjy0QmeZp` 2. Ensure you install Hoppscotch Browser Extension, On https://hoppscotch.io/ , using this feature `Use the browser extension to send requests (if present)` 3. import CURL provided above, modify the URL with URL you get from step 1. 4. Send request 5. Inspect the HTTP request result on the destination (in my case I refreshed the Hookbin page I created on step 1.) 6. You will get same result as mine above. ### Environment Production ### Version Cloud

kerem added the

bug

need testing

labels

2026-03-16 17:30:05 +03:00

kerem commented

2026-03-16 17:30:16 +03:00

Author

Owner

@rizdaprasetya commented on GitHub (Sep 5, 2022):

Tried to use proxy as workaround but did not help, Proxy also has its own issue:

https://github.com/hoppscotch/proxyscotch/issues/46

@rizdaprasetya commented on GitHub (Sep 5, 2022): Tried to use proxy as workaround but did not help, Proxy also has its own issue: - https://github.com/hoppscotch/proxyscotch/issues/46

kerem commented

2026-03-16 17:30:21 +03:00

Author

Owner

@Tineshnehete commented on GitHub (Oct 9, 2022):

Note : This issue is related to hoppscotch-extension
And the issue is opend at https://github.com/hoppscotch/hoppscotch-extension/issues/166

@Tineshnehete commented on GitHub (Oct 9, 2022): Note : This issue is related to hoppscotch-extension And the issue is opend at https://github.com/hoppscotch/hoppscotch-extension/issues/166

kerem commented

2026-03-16 17:30:26 +03:00

Author

Owner

@madhavpcm commented on GitHub (Jun 21, 2023):

I noticed User-Agent being dropped by Chrome browser and it was mentioned that firefox retains that (being a forbidden header). However this doesn't apply to Referer, Referer gets dropped in both firefox and chrome.

@madhavpcm commented on GitHub (Jun 21, 2023): I noticed User-Agent being dropped by Chrome browser and it was mentioned that firefox retains that (being a forbidden header). However this doesn't apply to Referer, Referer gets dropped in both firefox and chrome.