HTTP origin attribute - not appearing

October 8, 2013

Hello,

I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF.

It seems the origin is not part of the request header (checked from chrome console).

Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)?

Is there any server support for this?

I am testing on an old jdeveloper OC4J server.

Any hint?

Should the same application deployed in weblogic have the Origin attribute in its header?

thanks in advance

October 10, 2013

Anyone?

Here are the headers sent:

October 10, 2013

Should work without https :/

Also it's not supported by all servers but most up to date apache servers should support it.

http://stackoverflow.com/questions/4566378/how-secure-http-origin-is/8087233#8087233

This might help you a bit?

And keep in mind: HTTP is a plain text protocol. The request header/body structure can be faked to anything you want. So using this on http is like using a lock on your backdoor and keeping your front door open...

October 14, 2013

The Origin header is only sent for explicit CORS requests, normal requests don't have it.

Sign In

Mini Spy

IObit Smart Defrag 5.3.0.976

YouTuber Convinces people to drill into their iPhone 7 to reveal hidden headphone jack

Linux Mint and CompuLab unveil new MintBox Mini Pro

No Man's Sky being investigated for false advertising in the UK

Time for another OS? Huawei reportedly switching its smartwatches to Samsung's Tizen

HTTP origin attribute - not appearing

4 posts in this topic

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Company

Community

Social

News

Forums

Software

Features

More