Sign in to follow this  
Followers 0
eliokh

HTTP origin attribute - not appearing

4 posts in this topic

Hello,

 

I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF.

 

It seems the origin is not part of the request header (checked from chrome console).

 

Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)?

 

Is there any server support for this?

I am testing on an old jdeveloper OC4J server.

 

Any hint?

 

Should the same application deployed in weblogic have the Origin attribute in its header?

 

thanks in advance

Share this post


Link to post
Share on other sites

Anyone?

 

Here are the headers sent:

2013_10_10_19_56_25.png

Share this post


Link to post
Share on other sites

Should work without https :/

Also it's not supported by all servers but most up to date apache servers should support it.

 

http://stackoverflow.com/questions/4566378/how-secure-http-origin-is/8087233#8087233

 

This might help you a bit?

 

And keep in mind: HTTP is a plain text protocol. The request header/body structure can be faked to anything you want. So using this on http is like using a lock on your backdoor and keeping your front door open...

Share this post


Link to post
Share on other sites

The Origin header is only sent for explicit CORS requests, normal requests don't have it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.