You cannot use the Origin header to reliably restrict user API access to your APIs.
By default, GM_xmlhttpRequest() Doc does not send an Origin header at all. In addition, GM_xmlhttpRequest blocks cross-site requests; this is the main reason for the existence of GM_xmlhttpRequest .
Also, for Greasemonkey (Firefox) and Tampermonkey (Chrome) , GM_xmlhttpRequest does not send a default referer header.
However, both headers can be overridden for what the scriptwriter wants.
Here is a demo script that tricks both headers (use the packet sniffer to see for yourself):
// ==UserScript== // @name _Test Fake Referrer // @include http://stackoverflow.com/questions/18178934/* // @grant GM_xmlhttpRequest // ==/UserScript== GM_xmlhttpRequest ( { method: "GET", url: "http://www.google.com", headers: { referer: "http://microsoft.com", origin: "http://microsoft.com" } } );
Chrome’s simple user protocol didn’t get to the script developer. Chrome’s custom user scripts never send the Origin header and always send the current page as a referer .
If you try to trick any of these headers, the console will show errors, for example:
Refused to set unsafe referer header
Failed to set unsafe header "origin"
This is another reason to use Tampermonkey for your custom Chrome scripts.