I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF.
It seems the origin is not part of the request header (checked from chrome console).
Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)?
Is there any server support for this?
I am testing on an old jdeveloper OC4J server.
Should the same application deployed in weblogic have the Origin attribute in its header?
thanks in advance