CORS and Origin header?

Question

When we need to invoke an Ajax request we do :

if(typeof XMLHttpRequest !== 'undefined') xhr = new XMLHttpRequest();
else
{
    var versions = ["Microsoft.XmlHttp",
            "MSXML2.XmlHttp",
            "MSXML2.XmlHttp.3.0",
            "MSXML2.XmlHttp.4.0",
            "MSXML2.XmlHttp.5.0"
    ];

I already know that using XMLHttpRequest-2 ,we can make a cross origin request AND that the ORIGIN header is added.

Question:

When does this header added ?
- Is it added when a browser (that support CORS) is performing a request ? ( cross domain or non-cross-domain?)
- Or is it added automatically when the browser "sees" that the request target origin is different from the current origin...

I mean : what the He** does the bold line mean ?

Cross-origin HTTP requests have an Origin header. This header provides the server with the request’s origin. This header is protected by the browser and cannot be changed from application code. In essence, it is the network equivalent of the origin property found on message events used in Cross Document Messaging. The origin header differs from the older referer [sic] header in that the referer is a complete URL including the path. Because the path may contain sensitive information, the referer is sometimes not sent by browsers attempting to protect user privacy. However, the browser will always send the required Origin headers when necessary.

A note re: CORS usage and Internet Explorer: http://caniuse.com/#search=cors — Jonas G. Drange, Apr 13 '13 at 13:54
Also there is a bug in IE and the Origin header when the only difference of the origin is the port: http://stackoverflow.com/a/20784210/1268003 — Martin Andersson, Dec 26 '13 at 15:31

Paul S. · Accepted Answer · 2013-04-13T15:28:28.787

51

The Origin header

When this header is added ?

During the header's stage, before the document's body is sent (after open, before send).

Is it added when a browser (that support CORS) is doing a request ? ( cross domain or non-cross-domain?)

It is added when the origin doesn't match the page from which the XMLHttpRequest is created, but may also be sent in a same-origin request.

Or does it added automatically when the browser "sees" that the request target origin is different from the current origin...

Yes.

However, the browser will always send the required Origin headers when necessary.

This is part of the XMLHttpRequest spec; if you're making a cross-domain request, in the request headers an extra header is sent. This header is e.g. Origin: http://www.stackoverflow.com and is appended by a standards-following browser without user interaction.

You can read more on the specification in MozillaWiki's Security section, WHATWG and html5.org. It is implemented by (that I know of) FireFox and Google Chrome. I don't believe it is part of W3C yet. Further do not assume the origin header is true, as it can be set manually by modified borwsers or other software.

edited Apr 13 '13 at 15:28

answered Apr 13 '13 at 14:06

Paul S.

64,864
9
122
138

1

@RoyiNamir I re-read the spec and re-worded the second answer to allow for this, as the spec doesn't mention it in too much detail. I've never seen it happen before, though, and wouldn't rely on html5rocks.com as a primary source for how browsers implement the spec. – Paul S. Apr 13 '13 at 15:31
For those that are coming to this after the fact scratching their heads about a missing Origin header, it sounds like the *intent* is to always send one, but there was confusion about this (around the beginning of 2019) and this is still [under discussion](https://github.com/whatwg/fetch/issues/871). – Coderer Aug 13 '19 at 10:13
I understand why “do not assume the origin header is true”, but in that case why is that useful at all if we can not trust it? – PEZO Sep 11 '21 at 02:59
1

@PEZO it depends on your use case whether the risk it is falsified matters/is worth it. 99.999...% of the time your users will provide real data, so does that 0.000...1% of time time cause a security risk? If you're not using it to grant access to a secure thing it is probably not a concern. If you're using it to get metrics on traffic sources for planning marketing budgets, it is probably not a concern. – Paul S. Sep 11 '21 at 12:36

Robyflc · Answer 2 · 2013-04-13T13:57:03.853

The origin header is added automatically (generally) when you do a cross domain request.

To test it, I opened the console on this page and made two different requests: one for another domain and one for '/' and just the first got the origin header added.

BTW, I'm using JQuery for it and I'd really advise you to use it too in order to have the same behavior cross-browser.

For complementary info on the subject, check this:

The first thing to note is that a valid CORS request always contains an Origin header. This Origin header is added by the browser, and can not be controlled by the user. The value of this header is the scheme (e.g. http), domain (e.g. bob.com) and port (included only if it is not a default port, e.g. 81) from which the request originates; for example: http://api.alice.com.

The presence of the Origin header does not necessarily mean that the request is a cross-origin request. While all cross-origin requests will contain an Origin header, some same-origin requests might have one as well. For example, Firefox doesn't include an Origin header on same-origin requests. But Chrome and Safari include an Origin header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header).

Source

CORS and Origin header?

2 Answers2

The Origin header

Linked