Allow setting host header in fetch call

[paulrutter]

This would solve...

See #2322 (comment) and https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#undici---cookie-headers-are-not-cleared-in-cross-domain-redirect-in-undici-fetch-high---cve-2023-45143. In the latest security release, fetch doesn't allow setting the host header anymore.

This leads to problems when the host header is a required header, in case you want to do a request to an external application that requires both an IP address and a host header value (for routing the request to the right context).

A similar bug report here: nodejs/node#50305

The implementation should look like...

A solution could be to have a Node.js CLI flag like --allowHostHeader or more generic --allowHeaders=host, that is handled in undici.

I have also considered...

There is no workaround, except using a userland HTTP library like got (which does not block the host header from being set).

[ronag]

I think this is probably one of those cases where you shoulnd't be using fetch. Use undici.request instead.

[paulrutter]

@ronag does that mean that my application then has to add a dependency on undici, and thus not use Node.js fetch?

[ronag]

@ronag does that mean that my application then has to add a dependency on undici, and thus not use Node.js fetch?

Correct.

[ronag]

fetch should really just be used for cases where isomorphic code is required, e.g. libraries. It's simply not the right tool for back end development in general.

[paulrutter]

Ok, that makes sense. Will have a go with that approach.