Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?

Tags:

cors

The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.

My questions: What is a "privacy-sensitive" context, and are there any browsers that exhibit this behavior?

Here is the full phrasing from the Origin spec:

Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Origin header field.

NOTE: This document does not define the notion of a privacy-sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields.

like image 713
monsur Avatar asked Mar 14 '14 05:03

monsur


People also ask

Do all browsers send origin header?

The reason for that is, as mentioned earlier in this answer, browsers always send the Origin header in all POST , PUT , PATCH , and DELETE requests. Also, for completeness here and to be clear: For navigations, browsers send no Origin header.

Is it possible to spoof origin header?

As said above there is NO WAY to prevent the Origin header from being spoofed.

Why is Origin header null?

The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.

How does browser set Origin header?

Setting the Origin header. The browser adds the Origin header to the HTTP request before sending the request to the server. The browser is solely responsible for setting the Origin header. The Origin header is always present on cross-origin requests, and the client has no way of setting or overriding the value.


1 Answers

I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.

like image 171
monsur Avatar answered Sep 29 '22 11:09

monsur