Reputation: 329
Why is the origin header sent for same-origin requests?
According to https://fetch.spec.whatwg.org/#origin-header :
The
Originheader is a version of theRefererheader that does not reveal a path. It is used for all HTTP fetches whose request’s response tainting is "cors", as well as those where request’s method is neitherGETnorHEAD. Due to compatibility constraints it is not included in all fetches.
As I understand it, in particular, the Origin header should be sent with any same-origin request except GET and HEAD methods. How the Origin header can be useful in this same-origin case? And why the exception is made for the GET and HEAD methods?
Upvotes: 1
Views: 571
Answers (1)
Reputation: 7643
It can help as an CSRF mitigation. So you know your own site made the POST. Using Origin as a CSRF mitigation was an afterthought and since it was already deployed for CORS usage, some servers got confused when it was added for GET (at least), which is why it's not included there.
Upvotes: 2
Related Questions
- CORS and Origin header?
- same-origin policy and CORS - what's the point?
- Does the presence of an Origin header imply a CORS request
- CORS Protection: What is the point of HTTP_ORIGIN
- Browser not setting the origin header for cross origin requests?
- Origin header not the same as the URL
- Point of CORS HTTP Headers
- Why Access-Control-Allow-Origin is necessary for same domain?
- CORS - why is Access-control-allow-origin header necessary?
- What's the point of the Access-Control-Allow-Headers header