1

I'm talking about a CORS preflight HTTP request by the OPTIONS method which is sent by default by the browser before the actual request. In that request is it possible to make Orgin header to include the full url path?

OPTIONS / HTTP/1.1  
Host: example.com
Origin: http://www.example.com/blah

I want my page to send full url in Origin header. Is there any way to trick the browser to do so?

graypacket
  • 98
  • 1
  • 11
  • 1
    Isn't a `REFERER` (sic) header sent by default? – Robby Cornelissen Feb 09 '17 at 09:49
  • @RobbyCornelissen see the new description. – graypacket Feb 09 '17 at 10:10
  • Not possible, in my opinion. – Robby Cornelissen Feb 09 '17 at 10:12
  • As far as the Referer header, you can’t depend on it. Users can choose to have their browsers not send it http://kb.mozillazine.org/Network.http.sendRefererHeader (and to suppress document.referrer too) , and there are lots of other conditions in which it may be empty http://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty/6880668#6880668 And the in browsers that support Referer Policy, authors can also cause the Referer header to be empty https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty/28836003#28836003 – sideshowbarker Feb 09 '17 at 10:33

3 Answers3

1

you can always pass this value on the ajax parameters using something like:

$.ajax(url, {
      fullOrigin: window.location.href
   }
)

like #Robby Cornelisse said - most servers will hold REFERER server variable with this value.

amir mishori
  • 150
  • 4
  • see the new description. – graypacket Feb 09 '17 at 10:10
  • Second parameter in `jQuery.ajax()` is settings object. There is no `fullOrigin` key, jQuery will ignore it and it's value. For more information see [jQuery.ajax() documentation](http://api.jquery.com/jquery.ajax/#jQuery-ajax-settings). – Leonid Vasilev Feb 09 '17 at 12:38
1

The browser will send a REFERER header containing the full URL with your AJAX request.

In the screenshot below, I just used the console to send an AJAX request from this page. Notice the Referer header.

Referer header

Robby Cornelissen
  • 91,784
  • 22
  • 134
  • 156
0

No, it's not possible. Origin is a scheme, domain and port parts of an URI by definition.

One option is to send current document URI to server using query part of request URI. You can use code below to change URI of every cross origin request on your page:

window.addLocation = function( uri ) {
  var parser = document.createElement('a');
  parser.href = uri;
  var and = parser.search ? "&" : "";
  parser.search = parser.search + and + "madeBy=" + window.location;
  return parser.href;
};

var xhr = new XMLHttpRequest();
xhr.open( "GET", window.addLocation( originalUri ), true );

Note that current page URI may contain sensitive information, and that browser identifies HTTP Cache entries by URI including query.

For more information check:

Community
  • 1
  • 1
Leonid Vasilev
  • 11,910
  • 4
  • 36
  • 50