All geek questions in one place

When do browsers send an Origin header? When do browsers set the source to null?

As you can see from this Bugzilla stream (as well ), Firefox does not always send the Origin header in POST requests. The RFC states that it should not be sent in certain vague "sensitive privacy" contexts. Mozilla defines these contexts here .

I would like to know if these are the only situations where Firefox does not send the Origin header. As far as I can tell, it will also not send it in POST requests between sources (although Chrome and IE will be), but I cannot confirm this in the documentation. Is it listed somewhere that I miss?

+11
source share
1 answer

As far as specifications are required, the question above should be divided into a couple of answers:

  • When browsers need to send an Origin header
  • When browsers must internally set the origin of the Thatll value to get serialized in null

I doubt that what Firefox requires for this (where it differs from the specification) is listed. But as for the listing of specification requirements, here they are, in all details, divided into two parts:

When browsers need to send an Origin header

Origin? is: Origin , Fetch CORS:

CORS- - HTTP- Origin. CORS, Origin , GET HEAD.

Fetch, , Origin , GET HEAD:

CORS httpRequests GET HEAD, Origin/httpRequests origin, serialized UTF-8 httpRequests.

Origin POST , POST ( Fetch "CORS " - Theyre ).

. , Fetch , , 2016-12-09. :

  • Origin POST-
  • Origin POST <form> ( CORS)

, Firefox, , , , , .

, Origin , " CORS", , HTTP (S) , websocket, - navigate, websocket, same-origin no-cors.

XHR cors. API Fetch mode init-object fetch(…):

fetch("http://example.com", { mode: 'no-cors' }) // no Origin will be sent

crossorigin ( " CORS) HTML , cors ( Origin).

, (, , , -), no-cors, , Origin .

, Origin.

, null.

origin , null

, Origin , null, :

HTML :

, , ( "" ASCII- ), .

, , HTML , null.

HTML , :

  1. ( img )
  2. ( video audio)
  3. , data: URL
  4. iframe sandbox allow-same-origin
  5. , createDocument() ..
  6. ,
  7. ,
  8. ?

Fetch , " " ( , " ", null …) :

URL , :

  1. blob: URL
  2. file: URL
  3. URL, http, https, ftp, ws, wss gopher.

, , , null - , Origin . , , Origin.

+24

Source: https://habr.com/ru/post/1685201/

More articles:


All Articles