eliokh Posted October 8, 2013 Share Posted October 8, 2013 Hello, I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF. It seems the origin is not part of the request header (checked from chrome console). Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)? Is there any server support for this? I am testing on an old jdeveloper OC4J server. Any hint? Should the same application deployed in weblogic have the Origin attribute in its header? thanks in advance Link to comment Share on other sites More sharing options...
0 eliokh Posted October 10, 2013 Author Share Posted October 10, 2013 Anyone? Here are the headers sent: Link to comment Share on other sites More sharing options...
0 Seahorsepip Veteran Posted October 10, 2013 Veteran Share Posted October 10, 2013 Should work without https :/ Also it's not supported by all servers but most up to date apache servers should support it. http://stackoverflow.com/questions/4566378/how-secure-http-origin-is/8087233#8087233 This might help you a bit? And keep in mind: HTTP is a plain text protocol. The request header/body structure can be faked to anything you want. So using this on http is like using a lock on your backdoor and keeping your front door open... Link to comment Share on other sites More sharing options...
0 The_Decryptor Veteran Posted October 14, 2013 Veteran Share Posted October 14, 2013 The Origin header is only sent for explicit CORS requests, normal requests don't have it. Link to comment Share on other sites More sharing options...
Question
eliokh
Hello,
I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF.
It seems the origin is not part of the request header (checked from chrome console).
Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)?
Is there any server support for this?
I am testing on an old jdeveloper OC4J server.
Any hint?
Should the same application deployed in weblogic have the Origin attribute in its header?
thanks in advance
Link to comment
Share on other sites
3 answers to this question
Recommended Posts