Reputation: 9890
Why have Origin and Referer headers when Referer has enough information?
If the Referer header has the Origin in it anyway, what is the point of having both?
If the server receiving an HTTP request wants to know the Origin, it can just look at the domain in the Referer header.
I understand that the Referer header is not sent if it's an HTTPS to HTTP request (and many other scenarios), but why didn't they design it so that instead of removing it, it was still sent, but it only had the domain name (which the Origin header would have)?
Upvotes: 24
Views: 16907
Answers (1)
Reputation: 432
Citing from here https://security.stackexchange.com/questions/158045/is-checking-the-referer-and-origin-headers-enough-to-prevent-csrf-provided-that
In order to preserve privacy, any browser request can decide to omit the Referer header. So it is probably best to only check the Origin header. (In case you want to allow for users to preserve their privacy)
The Origin header is null in some cases. Note that all of these requests are GET requests, which means they should not have any side effects.
Upvotes: 11
Related Questions
- When browser sets the "referrer" in HTTP Request header?
- In what cases will HTTP_REFERER be empty
- Remove http referer
- Why isn't the the Referer header removed for Google HTTPS -> HTTP?
- How Referrer-Policy header can secure a website?
- Can I rely on Referer HTTP header?
- Why are websites requiring referer headers (and failing silently)?
- How does javascript's referrer property work under the hood
- What is HTTP Referer header?
- in what situation does the HTTP_REFERER not work?