fix: remove signed fetch origin & referer

[m3taphysics]

What does this PR change?

Whenever we attempt to set these values explicitly LIBCURL throws the following errors:

The header Origin is managed automatically, setting it may have no effect or result in unexpected behavior.
The header Referer is managed automatically, setting it may have no effect or result in unexpected behavior.

Digging deeper it was introduced due to a specific server side check here which effectively means we are forced to "spoof" the origin rather than let the library manage the origin itself (for security purposes).

No other endpoints should reject based on origin in this way, so it should be fixed server side to ensure the guestbook works in Goerli. The CORS policies should be setup server side to ensure security to avoid CSRF attacks and allow for localhost requests but not cross-origin.

How to test the changes?

• Play happy paths
• Ensure mini-games work as expected and the usual progress is saved

NOTE: Guestbook will no longer work

Our Code Review Standards

https://github.com/decentraland/unity-renderer/blob/master/docs/code-review-standards.md

[github-actions]

Windows and Mac build successfull in Unity Cloud! You can find a link to the downloadable artifact below.

Name	Link
Commit	fce7a4d
Logs	https://github.com/decentraland/unity-explorer/actions/runs/12066035269
Download Windows	https://github.com/decentraland/unity-explorer/suites/31433769794/artifacts/2248891208
Download Windows S3	https://explorer-artifacts.decentraland.org/@dcl/unity-explorer/branch/chore/remove-signed-fetch-origin-referer/Decentraland_windows64.zip
Download Mac	https://github.com/decentraland/unity-explorer/suites/31433769794/artifacts/2248957828
Download Mac S3	https://explorer-artifacts.decentraland.org/@dcl/unity-explorer/branch/chore/remove-signed-fetch-origin-referer/Decentraland_macos.zip
Built on	2024-11-28T10:10:05Z

[dalkia]

Looks good to me, while keeping in mind that we will lose that SDK scene support

[nearnshaw]

I fear that this change will make us lose dozens of SDK scenes
I'm still unclear of what the gain is for doing this change

I think of that example scene as a canary in a coal mine. The checks that the server of that scene does for many years were shared as the best practice way to check the legitimacy of scene requests. I'm sure there are a lot of scenes out there that still employ the same checks

If we decide to merge this, which I'm not convinced, we need to plan clear communications and a rollout plan for it

[nearnshaw]

We link that same example scene from the docs, amongst others that also do the same checks:

https://docs.decentraland.org/creator/development-guide/sdk7/authoritative-server/#example-scenes-with-dedicated-server