HTTP origin attribute - not appearing

October 8, 2013

Hello,

I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF.

It seems the origin is not part of the request header (checked from chrome console).

Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)?

Is there any server support for this?

I am testing on an old jdeveloper OC4J server.

Any hint?

Should the same application deployed in weblogic have the Origin attribute in its header?

thanks in advance

October 10, 2013

Anyone?

Here are the headers sent:

October 10, 2013

Should work without https :/

Also it's not supported by all servers but most up to date apache servers should support it.

http://stackoverflow.com/questions/4566378/how-secure-http-origin-is/8087233#8087233

This might help you a bit?

And keep in mind: HTTP is a plain text protocol. The request header/body structure can be faked to anything you want. So using this on http is like using a lock on your backdoor and keeping your front door open...

October 14, 2013

The Origin header is only sent for explicit CORS requests, normal requests don't have it.

Sign In

Mini Spy

Windows 10 builds 15063.447, 14393.1378, and 10586.965 now available - here's what's new

Apple facing OLED panel supply issues, could result in lower shipments of next iPhone

OnePlus 5 gets another software update, bumping OxygenOS to version 4.5.3

Samsung's refurbished 'Galaxy Note7 Fandom Edition' expected to launch on July 7

13 Years at Neowin

HTTP origin attribute - not appearing

4 posts in this topic

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Company

Community

Social

News

Forums

Features

Deals

More