Why does Chrome / Safari include the Origin header in the Access-Control-Request headers?

Question

Why does Chrome / Safari include the Origin header in the Access-Control-Request headers?

This question is like continuing. Why are custom headers included in Access-Control-Request headers?

During the CORS pre-validation request, both Chrome and Safari include the Origin header in the Access-Control-Request-Headers header. They ignore this header, in the sense that Origin does not have to be in the corresponding Access-Control-Allow-Headers header. Although the CORS specification does not define Origin as a simple header, there are other headers, such as User-Agent , that are not defined as simple headers and yet are not included in the Access-Control-Request-Headers headers. Firefox does not include the Origin header in the Access-Control-Request headers.

So my question is: why Chrome and Safari include the Origin header in Access-Control-Request-Headers , especially since it has no effect? I assume they are based on WebKit, but I am looking for an answer that goes deeper into why this behavior exists at all.

+4

cors cross-domain

monsur Aug 16 '13 at 4:55

source share

No one has answered this question yet.

See related questions:

2268

Why does the error "No Access-Control-Allow-Origin header on the requested resource" appear in my JavaScript code, but not for Postman?

1026

How does the Access-Control-Allow-Origin header work?

953

Access-Control-Allow-Origin Multiple Origin Domains?