Jump to content



Photo

HTTP origin attribute - not appearing


  • Please log in to reply
3 replies to this topic

#1 eliokh

eliokh

    Neowinian

  • Joined: 01-July 10
  • Location: Lebanon
  • OS: Win7/XP

Posted 08 October 2013 - 18:10

Hello,

 

I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF.

 

It seems the origin is not part of the request header (checked from chrome console).

 

Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)?

 

Is there any server support for this?

I am testing on an old jdeveloper OC4J server.

 

Any hint?

 

Should the same application deployed in weblogic have the Origin attribute in its header?

 

thanks in advance




#2 OP eliokh

eliokh

    Neowinian

  • Joined: 01-July 10
  • Location: Lebanon
  • OS: Win7/XP

Posted 10 October 2013 - 16:58

Anyone?

 

Here are the headers sent:

2013_10_10_19_56_25.png



#3 +Seahorsepip

Seahorsepip

    http://seapip.com

  • Tech Issues Solved: 20
  • Joined: 23-January 11
  • Location: Netherlands
  • OS: Windows 8.1 Pro
  • Phone: Nexus 5

Posted 10 October 2013 - 18:47

Should work without https :/

Also it's not supported by all servers but most up to date apache servers should support it.

 

http://stackoverflow...8087233#8087233

 

This might help you a bit?

 

And keep in mind: HTTP is a plain text protocol. The request header/body structure can be faked to anything you want. So using this on http is like using a lock on your backdoor and keeping your front door open...



#4 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 4
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 14 October 2013 - 09:57

The Origin header is only sent for explicit CORS requests, normal requests don't have it.