Why does Firefox not always send the HTTP Origin header for POST requests?

Question

I'm exploring the idea of HTTP Origin checks as CSRF protection for Drupal at https://www.drupal.org/node/1803712

Now I was testing how the Origin header arrives with a POST request, but Firefox does not send the Origin header on the user login form submission. Chromium and Chrome work fine, they send the Origin header.

Firefox version is 36.0.1. I also tested with a clean Firefox installation because I thought maybe some of my browser plugins suppress the Origin header, but no luck - no Origin header there either.

Is there a documentation page that describes when Firefox sends the Origin header and when not?

Answer 1

Is isn't implemented yet. There's a discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=446344

Answer 2

The default on Firefox is not to send HTTP_ORIGIN.

The reason is a bug that causes hangs on some mobile Firefox versions if the network.http.sendOriginHeader configuration variable (accessible via about:config) is enabled. (For details see https://developer.mozilla.org/en-US/Firefox/Experimental_features#Security and the link provided by Marco's comment https://bugzilla.mozilla.org/show_bug.cgi?id=446344.)

There is a proposal to enable FF sending HTTP_ORIGIN by default, but the TODO list is long (see https://bugzilla.mozilla.org/show_bug.cgi?id=1424076). So it will probably take years until FF will generally send HTTP_ORIGIN even without Javascript code enabling CSRF.

Some FOSS OSes preconfigure their FF ports to send HTTP_ORIGIN by default. BTW, MS Edge also does not send HTTP_ORIGIN without explicitly enabling CSRF using Javascript.

For this reason I have implemented a security setting of my site which enables the users to disallow POST transactions from browsers that do not provide HTTP_ORIGIN.